oss-sec mailing list archives
Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 12 Oct 2022 12:21:40 -0700
On 10/11/22 19:52, Brian Demers wrote:
Description: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. Credit: Apache Shiro would like to thank Y4tacker for reporting this issue
Thanks for informing oss-security of these issues, but good security announcements have a little more detail, like what actions users or distributors need to take (upgrade to a new version? what version?) and information on where to find more details, like a bug id in your bug tracker. If you look at the announcements from other Apache projects, you'll see they often include those. Some good examples: https://www.openwall.com/lists/oss-security/2021/12/18/2 https://www.openwall.com/lists/oss-security/2022/01/05/4 https://www.openwall.com/lists/oss-security/2022/01/06/2 -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher Brian Demers (Oct 12)
- Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher Alan Coopersmith (Oct 12)