Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-10449

Update shiro-core to version 1.12.0 for CVE-2023-34478

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.15.1
    • None
    • None

    Description

      As per https://nvd.nist.gov/vuln/detail/CVE-2023-34478 ,

      "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"

      Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE.

       

      There is another CVE related to shiro-core 1.9.1, https://nvd.nist.gov/vuln/detail/CVE-2023-22602 ,

      which states

      "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`"

       

      Fix for the mentioned vulnerabilities seems to be merged in "develop" branch via commit https://github.com/apache/geode/commit/d1958146c12affb1fe3eabc5823bb4eeb6c0badc

      Logging this Jira to update the same in 1.15.1 branch as well.

      Attachments

        Activity

          People

            Unassigned Unassigned
            mittalankush Ankush Mittal
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: