Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Reference: https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E
Created shiro tracking bugs for this issue: Affects: fedora-all [bug 1850070]
Added affects for Red Hat OpenStack Platform 10 & 13. The vulnerable feature is not used by OpenDaylight.
Statement: Whilst the OpenDaylight version that is included in Red Hat OpenStack Platform includes the affected code, the vulnerable functionality is not used and therefore not exploitable.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11989
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568