Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-5948

Update shiro version from 1.10.0 to 1.12.0 due to CVE-2023-34478

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • security
    • None

    Description

      Zeppelin is now using shiro 1.10.0 version.

      https://github.com/apache/zeppelin/blob/master/pom.xml#L138

       

      But Apache Shiro said "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests."

      https://shiro.apache.org/blog/2023/07/18/apache-shiro-1120-released.html

       

      So I request you to update the shiro version for latest Zeppelin.

      I saw one PR is already opened, so I don't create new issue.  

      https://github.com/apache/zeppelin/pull/4636

       

      Can you share the plan for updating this version of shiro?

      Attachments

        Activity

          People

            Unassigned Unassigned
            youngjin youngjin.yang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: