[OFBIZ-12839] [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 22.01.01, Upcoming Branch, 18.12.09
Fix Version/s: 22.01.01, 18.12.09
Component/s: framework
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+.

Credit: Apache Shiro would like to thank swifty tk for reporting this issue.
-The Apache Shiro Team

Also at https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo

jleroux: from the description I'm not sure OFBiz is concerned, anyway better to be safe than sorry

Attachments

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 22/Jul/23 16:59

Updated:: 23/Jul/23 15:45

Resolved:: 22/Jul/23 18:13