CVE-2020-11989 (High) detected in shiro-web-1.5.2.jar

[mend-bolt-for-github[bot]]

CVE-2020-11989 - High Severity Vulnerability

Vulnerable Library - shiro-web-1.5.2.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://shiro.apache.org/

Path to dependency file: /tmp/ws-scm/moqui-framework/framework/build.gradle

Path to vulnerable library: canner/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-web/1.5.2/6b770654a1385b51ef19cf19393232c182725aaa/shiro-web-1.5.2.jar,canner/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-web/1.5.2/6b770654a1385b51ef19cf19393232c182725aaa/shiro-web-1.5.2.jar

Dependency Hierarchy: - :x: **shiro-web-1.5.2.jar** (Vulnerable Library)

Found in HEAD commit: fd3ceaf058bc41a5cb47a80f53a2788f20c17019

Vulnerability Details

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-06-22

URL: CVE-2020-11989

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/SHIRO-753

Release Date: 2020-06-22

Fix Resolution: org.apache.shiro:shiro-web:1.5.3,org.apache.shiro:shiro-all:1.5.3

---

Step up your Open Source Security Game with WhiteSource here

[jonesde]

Updated in commit 69bebb75