Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Zeppelin is now using shiro 1.10.0 version.
https://github.com/apache/zeppelin/blob/master/pom.xml#L138
But Apache Shiro said "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests."
https://shiro.apache.org/blog/2023/07/18/apache-shiro-1120-released.html
So I request you to update the shiro version for latest Zeppelin.
I saw one PR is already opened, so I don't create new issue.
https://github.com/apache/zeppelin/pull/4636
Can you share the plan for updating this version of shiro?