Use Moqui Framework to build enterprise applications based on Java. It includes tools for databases (relational, graph, document), local and web services, web and other UI with screens and forms, security, file/resource access, scripts, templates, l10n, caching, logging, search, rules, workflow, multi-instance, and integration.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /tmp/ws-scm/moqui-framework/framework/build.gradle
Path to vulnerable library: canner/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-web/1.5.2/6b770654a1385b51ef19cf19393232c182725aaa/shiro-web-1.5.2.jar,canner/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-web/1.5.2/6b770654a1385b51ef19cf19393232c182725aaa/shiro-web-1.5.2.jar
CVE-2020-11989 - High Severity Vulnerability
Vulnerable Library - shiro-web-1.5.2.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://shiro.apache.org/
Path to dependency file: /tmp/ws-scm/moqui-framework/framework/build.gradle
Path to vulnerable library: canner/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-web/1.5.2/6b770654a1385b51ef19cf19393232c182725aaa/shiro-web-1.5.2.jar,canner/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-web/1.5.2/6b770654a1385b51ef19cf19393232c182725aaa/shiro-web-1.5.2.jar
Dependency Hierarchy: - :x: **shiro-web-1.5.2.jar** (Vulnerable Library)
Found in HEAD commit: fd3ceaf058bc41a5cb47a80f53a2788f20c17019
Vulnerability Details
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-06-22
URL: CVE-2020-11989
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/SHIRO-753
Release Date: 2020-06-22
Fix Resolution: org.apache.shiro:shiro-web:1.5.3,org.apache.shiro:shiro-all:1.5.3
Step up your Open Source Security Game with WhiteSource here