Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher

[Brian Demers <bdemers () apache org>]

Thanks for the feedback Alan, I'll make sure to include additional info in
the future.

For now:

Mitigation:
  Update to Shiro 1.10.0

References:
  https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg

On Wed, Oct 12, 2022 at 3:21 PM Alan Coopersmith <
alan.coopersmith () oracle com> wrote:

> On 10/11/22 19:52, Brian Demers wrote:
> > Description:
> >
> > Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in
> > Shiro when forwarding or including via RequestDispatcher.
> >
> > Credit:
> >
> > Apache Shiro would like to thank Y4tacker for reporting this issue
>
> Thanks for informing oss-security of these issues, but good security
> announcements have a little more detail, like what actions users or
> distributors need to take (upgrade to a new version?  what version?)
> and information on where to find more details, like a bug id in your
> bug tracker.  If you look at the announcements from other Apache
> projects, you'll see they often include those.
>
> Some good examples:
> https://www.openwall.com/lists/oss-security/2021/12/18/2
> https://www.openwall.com/lists/oss-security/2022/01/05/4
> https://www.openwall.com/lists/oss-security/2022/01/06/2
>
> --
>          -Alan Coopersmith-                 alan.coopersmith () oracle com
>           Oracle Solaris Engineering - https://blogs.oracle.com/solaris