Описание
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
A flaw was found in Apache Shiro. When using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. The highest threat from this vulnerability is to data confidentiality, integrity as well as system availability.
Отчет
Although Red Hat OpenStack Platform's OpenDaylight includes the affected code, the vulnerable function is not used, therefore, not exploitable. For this reason, the RHOSP impact is low, and no update will be provided at this time for OpenDaylight.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | shiro-web | Fix deferred | ||
| Red Hat JBoss A-MQ 6 | shiro-web | Out of support scope | ||
| Red Hat JBoss Fuse 6 | shiro-web | Out of support scope | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Out of support scope |
Показывать по
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...
Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass
Уязвимость фреймворка Apache Shiro, связанная с недостатками механизма аутентификации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
9.8 Critical
CVSS3