CVE-2020-1957

Опубликовано: 25 мар. 2020

Источник: debian

EPSS Высокий

Описание

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Пакет	Статус	Версия исправления	Релиз	Тип
shiro	fixed	1.3.2-5		package
shiro	fixed	1.3.2-4+deb11u1	bullseye	package
shiro	fixed	1.3.2-4+deb10u1	buster	package

https://www.openwall.com/lists/oss-security/2020/03/23/2
Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139
https://github.com/apache/shiro/pull/203#issuecomment-606270322
Fix for CVE-2020-1957 introduces a (security sensitive) encoding issue
resulting in a followup release 1.5.3.

EPSS

Процентиль: 99%

0.86102

Высокий

CVE-2020-1957

CVSS3: 9.8

ubuntu

больше 5 лет назад

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

CVE-2020-1957

CVSS3: 9.8

redhat

больше 5 лет назад

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

CVE-2020-1957

CVSS3: 9.8

nvd

больше 5 лет назад

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

GHSA-26gr-cvq3-qxgf

CVSS3: 9.8

github

больше 4 лет назад

Improper Authentication in Apache Shiro

EPSS

Процентиль: 99%

0.86102

Высокий