====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN609
_____________________________________________________________________

DATE                : 06/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Shiro versions prior to
                                         1.7.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202011.mbox/%3cdb7aec3e-923a-1225-ee17-86f25f69322d@openobject.fr%3e
_____________________________________________________________________

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a
specially crafted HTTP request may cause an authentication bypass.

If you are NOT using Shiro’s Spring Boot Starter
(`shiro-spring-boot-web-starter`), you must configure add the
ShiroRequestMappingConfig auto configuration[1] to your application or
configure the equivalent manually[2].

[0] https://www.apache.org/security/
[1] https://shiro.apache.org/spring-framework.html#SpringFramework-WebConfig
[2]
https://github.com/apache/shiro/blob/shiro-root-1.7.0/support/spring/src/main/java/org/apache/shiro/spring/web/config/ShiroRequestMappingConfig.java#L28-L30



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================