Date: Wed, 4 Nov 2020 16:30:27 -0500 From: Brian Demers <bdemers@...che.org> To: oss-security@...ts.openwall.com Cc: security <security@...ro.apache.org> Subject: [CVE-2020-17510] Apache Shiro Authentication Bypass Vulnerability Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. If you are NOT using Shiro’s Spring Boot Starter (`shiro-spring-boot-web-starter`), you must configure add the ShiroRequestMappingConfig auto configuration to your application or configure the equivalent manually.  https://www.apache.org/security/  https://shiro.apache.org/spring-framework.html#SpringFramework-WebConfig  https://github.com/apache/shiro/blob/shiro-root-1.7.0/support/spring/src/main/java/org/apache/shiro/spring/web/config/ShiroRequestMappingConfig.java#L28-L30
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.