[
https://issues.apache.org/jira/browse/GEODE-10443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17733786#comment-17733786
]
ASF subversion and git services commented on GEODE-10443:
---------------------------------------------------------
Commit 55d92bb9683bf2c145219f22a122078d53f35364 in geode's branch
refs/heads/develop from jakevin
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=55d92bb968 ]
GEODE-10443: Update shiro-core to version 1.11.0 for CVE-2022-40664 (#7881)
> Update shiro-core to version 1.11.0 for CVE-2022-40664
> ------------------------------------------------------
>
> Key: GEODE-10443
> URL: https://issues.apache.org/jira/browse/GEODE-10443
> Project: Geode
> Issue Type: Bug
> Affects Versions: 1.15.1
> Reporter: Ankush Mittal
> Priority: Major
> Labels: needsTriage, pull-request-available
>
> As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,
> _"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro
> when forwarding or including via RequestDispatcher."_
> Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as
> per the CVE.
> Also although the CVE doesn't include "1.10.0", but since more latest version
> "1.11.0" is available, logged ticket to bundle the same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
