Date: Mon, 24 Jul 2023 18:06:06 +0000 From: Brian Demers <bdemers@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2023-34478: Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests. Severity: important Affected versions: - Apache Shiro before 1.12.0 - Apache Shiro before 2.0.0-alpha-3 Description: Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ Credit: tkswifty (finder) Ha1c9on (finder) References: https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk https://shiro.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-34478
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.