[ https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17745972#comment-17745972 ]
ASF subversion and git services commented on OFBIZ-12839: --------------------------------------------------------- Commit 3d34f5be1ee0ce27eb3cc029baa961acf160dbbe in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3d34f5be1e ] Fixed: [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack (OFBIZ-12839) See https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo for details > [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path > traversal attack > --------------------------------------------------------------------------------------- > > Key: OFBIZ-12839 > URL: https://issues.apache.org/jira/browse/OFBIZ-12839 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 22.01.01, 18.12.09 > > > Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. > Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. > Credit: Apache Shiro would like to thank swifty tk for reporting this issue. > -The Apache Shiro Team > Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] > > jleroux: from the description I'm not sure OFBiz is concerned, anyway better > to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)