You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@geode.apache.org by "Ankush Mittal (Jira)" <ji...@apache.org> on 2023/03/01 10:32:00 UTC

[jira] [Created] (GEODE-10443) Update shiro-core to version 1.11.0 for CVE-2022-40664

Ankush Mittal created GEODE-10443:
-------------------------------------

             Summary: Update shiro-core to version 1.11.0 for CVE-2022-40664
                 Key: GEODE-10443
                 URL: https://issues.apache.org/jira/browse/GEODE-10443
             Project: Geode
          Issue Type: Bug
    Affects Versions: 1.15.1
            Reporter: Ankush Mittal


As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,

_"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."_

 

Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE.

 

Also although the CVE doesn't include "1.10.0", but since more latest version "1.11.0" is available, logged ticket to bundle the same.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)