Bug 1903727 (CVE-2020-17510) - CVE-2020-17510 shiro: specially crafted HTTP request may cause an authentication bypass
Summary: CVE-2020-17510 shiro: specially crafted HTTP request may cause an authenticat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-17510
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1903729
TreeView+ depends on / blocked
 
Reported: 2020-12-02 17:22 UTC by Dhananjay Arunesh
Modified: 2021-08-11 19:28 UTC (History)
33 users (show)

See Also:
Fixed In Version: shiro 1.7.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache shiro. When using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. This highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-08-11 19:28:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:23:37 UTC

Description Dhananjay Arunesh 2020-12-02 17:22:57 UTC
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

References:
https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E

Comment 1 Anten Skrabec 2020-12-02 19:42:14 UTC
Statement:

Whilst the OpenDaylight version that is included in Red Hat OpenStack Platform includes the affected code, the vulnerable function is not used and therefore not exploitable.

Comment 2 Anten Skrabec 2020-12-04 01:37:49 UTC
To further clarify about Red Hat OpenStack Platform, we do not ship the Shiro <-> Spring integration (shiro-spring), only the shiro-core and shiro-web artifacts.

Comment 4 Jonathan Christison 2020-12-04 12:28:05 UTC
Marking Red Hat Fuse 7 as having a low impact, Fuse 7 distributes some shiro artifacts (shiro-core) as part of camel-shiro however these artifacts are not impacted by the vulnerability. 

Marking Red Hat JBoss Fuse 6 as having a moderate impact, Fuse 6 does distribute some shiro artifacts as part of camel-shiro, however these are not affected by the vulnerability, only components using shiro in the context of the web application portion of the shiro framework are affected and only the artifacts org.apache.shiro:shiro-web:*, org.apache.shiro:shiro-spring:*, org.apache.shiro:shiro-guice:* and org.apache.shiro:shiro-all:* are altered in the fix version of shiro (1.6.0)

Red Hat JBoss AMQ-6 does however distribute shiro-spring in error as part of the activemq shiro plugin, the artifact would not be used under normal circumstances and the issue has been marked as moderate because of this, however as a precaution we have requested the superfluous shiro-spring artifact be removed from any deliverables.
 
 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 9 errata-xmlrpc 2021-08-11 18:23:34 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 10 Product Security DevOps Team 2021-08-11 19:28:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17510


Note You need to log in before you can comment on or make changes to this bug.