https://bugzilla.redhat.com/show_bug.cgi?id=1829281
Bug ID: 1829281 Summary: CVE-2020-1957 shiro: Spring dynamic controllers, a specially crafted request may cause an authentication bypass Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: aileenc@redhat.com, ataylor@redhat.com, chazlett@redhat.com, dbecker@redhat.com, drieden@redhat.com, extras-orphan@fedoraproject.org, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jschluet@redhat.com, jwon@redhat.com, kbasil@redhat.com, kconner@redhat.com, ldimaggi@redhat.com, lhh@redhat.com, lpeer@redhat.com, mburns@redhat.com, mkolesni@redhat.com, nwallace@redhat.com, puntogil@libero.it, rwagner@redhat.com, sclewis@redhat.com, scohen@redhat.com, slinaber@redhat.com, tcunning@redhat.com, tkirby@redhat.com Target Milestone: --- Classification: Other
When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Upstream Advisory:
https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e...
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1829282
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1829282 [Bug 1829282] CVE-2020-1957 shiro: Spring dynamic controllers, a specially crafted request may cause an authentication bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
--- Comment #1 from Marian Rehak mrehak@redhat.com --- Created shiro tracking bugs for this issue:
Affects: fedora-all [bug 1829282]
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1829283
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
--- Comment #4 from Anten Skrabec askrabec@redhat.com --- Statement:
While the Opendaylight that is included in Red Hat OpenStack Platform ships the affected code, the vulnerable function is not used.
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
--- Comment #5 from Anten Skrabec askrabec@redhat.com --- Statement:
While the OpenDaylight version that is included in Red Hat OpenStack Platform ships the affected code, the vulnerable function is not used.
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
--- Comment #6 from Joshua Padman jpadman@redhat.com --- Statement:
Whilst the OpenDaylight version that is included in Red Hat OpenStack Platform includes the affected code, the vulnerable function is not used and therefore not exploitable.
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2020-04-30 04:31:45
--- Comment #7 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-1957
https://bugzilla.redhat.com/show_bug.cgi?id=1829281
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in Apache Shiro. When using Spring dynamic controllers, a specially crafted request may cause an authentication bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1829281 Bug 1829281 depends on bug 1829282, which changed state.
Bug 1829282 Summary: CVE-2020-1957 shiro: Spring dynamic controllers, a specially crafted request may cause an authentication bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1829282
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org