[
https://issues.apache.org/jira/browse/GEODE-10443?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ankush Mittal updated GEODE-10443:
----------------------------------
Description:
As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,
_"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when
forwarding or including via RequestDispatcher."_
Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per
the CVE.
Also although the CVE doesn't include "1.10.0", but since more latest version
"1.11.0" is available, logged ticket to bundle the same.
was:
As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,
_"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when
forwarding or including via RequestDispatcher."_
Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per
the CVE.
Also although the CVE doesn't include "1.10.0", but since more latest version
"1.11.0" is available, logged ticket to bundle the same.
> Update shiro-core to version 1.11.0 for CVE-2022-40664
> ------------------------------------------------------
>
> Key: GEODE-10443
> URL: https://issues.apache.org/jira/browse/GEODE-10443
> Project: Geode
> Issue Type: Bug
> Affects Versions: 1.15.1
> Reporter: Ankush Mittal
> Priority: Major
> Labels: needsTriage
>
> As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,
> _"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro
> when forwarding or including via RequestDispatcher."_
> Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as
> per the CVE.
> Also although the CVE doesn't include "1.10.0", but since more latest version
> "1.11.0" is available, logged ticket to bundle the same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
