Bug 2254478 (CVE-2023-46750)
| Summary: | CVE-2023-46750 shiro: URL redirection to untrusted site in FORM authentication feature | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dkreling, dosoudil, fjuma, fmariani, gmalinko, gsmet, ivassile, iweiss, janstey, jmartisk, jpoth, lgao, lthon, max.andersen, mosmerov, msochure, mstefank, msvehla, nwallace, olubyans, pajung, pcongius, pdelbell, pgallagh, pjindal, pmackay, probinso, rruss, rstancel, rsvoboda, sbiarozk, smaestri, tcunning, tom.jenkinson, tqvarnst, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apache-shiro 1.13.0, apache-shiro 2.0.0-alpha-4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An "Open-Redirect" flaw was found in the Apache Shiro project. This issue may allow remote attackers to redirect legitimate users to arbitrary web sites containing malware that can compromise the user's machine and conduct phishing attacks to steal the user's credentials.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2254482 | ||
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Affected versions: - Apache Shiro before 1.13.0 - Apache Shiro 2.0.0-alpha-1 before 2.0.0-alpha-4 https://issues.apache.org/jira/browse/OFBIZ-12866 https://lists.apache.org/thread/ff0rq7rykh6zxb7l4dronowpoxrcqkr8 https://seclists.org/oss-sec/2023/q4/275 https://www.mail-archive.com/notifications@ofbiz.apache.org/msg52244.html