Use Moqui Framework to build enterprise applications based on Java. It includes tools for databases (relational, graph, document), local and web services, web and other UI with screens and forms, security, file/resource access, scripts, templates, l10n, caching, logging, search, rules, workflow, multi-instance, and integration.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /tmp/ws-scm/moqui-framework/framework/build.gradle
Path to vulnerable library: le/caches/modules-2/files-2.1/org.apache.shiro/shiro-core/1.4.2/9129c0cc8c640b9ef0ef7a3b1f898ff69f041749/shiro-core-1.4.2.jar,le/caches/modules-2/files-2.1/org.apache.shiro/shiro-core/1.4.2/9129c0cc8c640b9ef0ef7a3b1f898ff69f041749/shiro-core-1.4.2.jar
CVE-2020-1957 - High Severity Vulnerability
Vulnerable Library - shiro-core-1.4.2.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/shiro-core/
Path to dependency file: /tmp/ws-scm/moqui-framework/framework/build.gradle
Path to vulnerable library: le/caches/modules-2/files-2.1/org.apache.shiro/shiro-core/1.4.2/9129c0cc8c640b9ef0ef7a3b1f898ff69f041749/shiro-core-1.4.2.jar,le/caches/modules-2/files-2.1/org.apache.shiro/shiro-core/1.4.2/9129c0cc8c640b9ef0ef7a3b1f898ff69f041749/shiro-core-1.4.2.jar
Dependency Hierarchy: - :x: **shiro-core-1.4.2.jar** (Vulnerable Library)
Found in HEAD commit: ed244c272391dc9235b0c903f881377767174a9c
Vulnerability Details
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-03-25
URL: CVE-2020-1957
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://shiro.apache.org/news.html
Release Date: 2020-03-25
Fix Resolution: org.apache.shiro:shiro-core:1.5.1
Step up your Open Source Security Game with WhiteSource here