Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.4/shiro-web-1.2.4.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.4/shiro-web-1.2.4.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.4/shiro-web-1.2.4.jar
CVE-2022-40664 - Critical Severity Vulnerability
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://www.apache.org/
Path to dependency file: /core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.4/shiro-web-1.2.4.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.4/shiro-web-1.2.4.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.4/shiro-web-1.2.4.jar
Dependency Hierarchy: - uimaj-as-activemq-2.9.0.jar (Root Library) - activemq-shiro-5.14.0.jar - shiro-spring-1.2.4.jar - :x: **shiro-web-1.2.4.jar** (Vulnerable Library)
Found in base branch: master
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
Publish Date: 2022-10-12
URL: CVE-2022-40664
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg
Release Date: 2022-10-12
Fix Resolution: org.apache.shiro:shiro-web:1.10.0;org.apache.shiro:shiro-all:1.10.0