Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.15.1
-
None
-
None
Description
As per https://nvd.nist.gov/vuln/detail/CVE-2023-34478 ,
"Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"
Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE.
There is another CVE related to shiro-core 1.9.1, https://nvd.nist.gov/vuln/detail/CVE-2023-22602 ,
which states
"When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`"
Fix for the mentioned vulnerabilities seems to be merged in "develop" branch via commit https://github.com/apache/geode/commit/d1958146c12affb1fe3eabc5823bb4eeb6c0badc
Logging this Jira to update the same in 1.15.1 branch as well.