You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Ankush Mittal (Jira)" <ji...@apache.org> on 2023/03/01 10:32:00 UTC
[jira] [Created] (GEODE-10443) Update shiro-core to version 1.11.0 for CVE-2022-40664
Ankush Mittal created GEODE-10443:
-------------------------------------
Summary: Update shiro-core to version 1.11.0 for CVE-2022-40664
Key: GEODE-10443
URL: https://issues.apache.org/jira/browse/GEODE-10443
Project: Geode
Issue Type: Bug
Affects Versions: 1.15.1
Reporter: Ankush Mittal
As per [https://nvd.nist.gov/vuln/detail/CVE-2022-40664] ,
_"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."_
Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE.
Also although the CVE doesn't include "1.10.0", but since more latest version "1.11.0" is available, logged ticket to bundle the same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)