https://bugzilla.redhat.com/show_bug.cgi?id=1850069
Bug ID: 1850069 Summary: CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aileenc@redhat.com, ataylor@redhat.com, chazlett@redhat.com, dbecker@redhat.com, drieden@redhat.com, extras-orphan@fedoraproject.org, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jschluet@redhat.com, jwon@redhat.com, kbasil@redhat.com, kconner@redhat.com, ldimaggi@redhat.com, lhh@redhat.com, lpeer@redhat.com, mburns@redhat.com, mkolesni@redhat.com, nwallace@redhat.com, puntogil@libero.it, rwagner@redhat.com, sclewis@redhat.com, scohen@redhat.com, slinaber@redhat.com, tcunning@redhat.com, tkirby@redhat.com Target Milestone: --- Classification: Other
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Reference: https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380...
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1850070
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1850070 [Bug 1850070] CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1850070 Blocks| |1850071
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1850070 [Bug 1850070] CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created shiro tracking bugs for this issue:
Affects: fedora-all [bug 1850070]
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
--- Comment #2 from Anten Skrabec askrabec@redhat.com --- Added affects for Red Hat OpenStack Platform 10 & 13. The vulnerable feature is not used by OpenDaylight.
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
--- Comment #3 from Anten Skrabec askrabec@redhat.com --- Statement:
Whilst the OpenDaylight version that is included in Red Hat OpenStack Platform includes the affected code, the vulnerable function is not used and therefore not exploitable.
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
--- Comment #6 from Joshua Padman jpadman@redhat.com --- Statement:
Whilst the OpenDaylight version that is included in Red Hat OpenStack Platform includes the affected code, the vulnerable functionality is not used and therefore not exploitable.
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |shiro 1.5.3
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2020-07-21 19:28:01
--- Comment #12 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-11989
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in Apache Shiro in versions prior to 1.5.3. When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
https://bugzilla.redhat.com/show_bug.cgi?id=1850069
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5568
https://bugzilla.redhat.com/show_bug.cgi?id=1850069 Bug 1850069 depends on bug 1850070, which changed state.
Bug 1850070 Summary: CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1850070
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org