Ankush Mittal created GEODE-10449:
-------------------------------------
Summary: Update shiro-core to version 1.12.0 for CVE-2023-34478
Key: GEODE-10449
URL: https://issues.apache.org/jira/browse/GEODE-10449
Project: Geode
Issue Type: Bug
Affects Versions: 1.15.1
Reporter: Ankush Mittal
As per [https://nvd.nist.gov/vuln/detail/CVE-2023-34478] ,
_"Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path
traversal attack that results in an authentication bypass when used together
with APIs or other web frameworks that route requests based on non-normalized
requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"_
Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per
the CVE.
There is another CVE related to shiro-core 1.9.1,
[https://nvd.nist.gov/vuln/detail/CVE-2023-22602] ,
which states
"When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a
specially crafted HTTP request may cause an authentication bypass. The
authentication bypass occurs when Shiro and Spring Boot are using different
pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant
style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the
following Spring Boot configuration value:
`spring.mvc.pathmatch.matching-strategy = ant_path_matcher`"
Fix for the mentioned vulnerabilities seems to be merged in "develop" branch
via commit
[https://github.com/apache/geode/commit/d1958146c12affb1fe3eabc5823bb4eeb6c0badc]
Logging this Jira to update the same in 1.15.1 branch as well.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
