search

ReachabilityOrg / Reachability4

Apache License 2.0
0 stars 0 forks source link

shiro-web-1.2.0.jar: 6 vulnerabilities (highest severity is: 9.8) unreachable #10

Open dev-mend-for-github-com[bot] opened 1 year ago

dev-mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/shiro-web/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (shiro-web version) Remediation Possible** Reachability
CVE-2020-1957 Critical 9.8 shiro-web-1.2.0.jar Direct 1.5.2

Unreachable
CVE-2020-17510 Critical 9.8 shiro-web-1.2.0.jar Direct 1.7.0

Unreachable
CVE-2020-11989 Critical 9.8 shiro-web-1.2.0.jar Direct 1.5.3

Unreachable
CVE-2016-6802 High 7.5 shiro-web-1.2.0.jar Direct 1.3.2

Unreachable
CVE-2019-10086 High 7.3 commons-beanutils-1.8.3.jar Transitive 1.5.0

Unreachable
CVE-2014-0114 High 7.3 commons-beanutils-1.8.3.jar Transitive 1.5.0

Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-1957 ### Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/shiro-web/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy: - :x: **shiro-web-1.2.0.jar** (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-03-25

URL: CVE-2020-1957

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://shiro.apache.org/news.html

Release Date: 2020-03-25

Fix Resolution: 1.5.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-17510 ### Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/shiro-web/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy: - :x: **shiro-web-1.2.0.jar** (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Publish Date: 2020-11-05

URL: CVE-2020-17510

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E

Release Date: 2020-11-05

Fix Resolution: 1.7.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-11989 ### Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/shiro-web/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy: - :x: **shiro-web-1.2.0.jar** (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-06-22

URL: CVE-2020-11989

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/SHIRO-753

Release Date: 2020-06-22

Fix Resolution: 1.5.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-6802 ### Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/shiro-web/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy: - :x: **shiro-web-1.2.0.jar** (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

Publish Date: 2016-09-20

URL: CVE-2016-6802

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6802

Release Date: 2016-09-20

Fix Resolution: 1.3.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10086 ### Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: http://commons.apache.org/beanutils/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy: - shiro-web-1.2.0.jar (Root Library) - shiro-core-1.2.0.jar - :x: **commons-beanutils-1.8.3.jar** (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Publish Date: 2019-08-20

URL: CVE-2019-10086

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-08-20

Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4

Direct dependency fix Resolution (org.apache.shiro:shiro-web): 1.5.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0114 ### Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: http://commons.apache.org/beanutils/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy: - shiro-web-1.2.0.jar (Root Library) - shiro-core-1.2.0.jar - :x: **commons-beanutils-1.8.3.jar** (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Release Date: 2014-04-30

Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4

Direct dependency fix Resolution (org.apache.shiro:shiro-web): 1.5.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

dev-mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

dev-mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.