=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2022/VULN375

_____________________________________________________________________

DATE                : 12/10/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Shiro versions prior to
                                        1.10.0.

=====================================================================
https://lists.apache.org/thread/ynx4mx9phc61ctr80lbwp1rsg2lmn6k4
_____________________________________________________________________


[ANNOUNCE][CVE-2022-40664] Apache Shiro 1.10.0 released
The Shiro team is pleased to announce the release of Apache Shiro
version 1 .10.0.

This security release contains 7 fixes since the 1.9.1 release and is
available for Download now [1].

CVE-2022-40664:

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in
Shiro when forwarding or including via RequestDispatcher.


Credit:
Apache Shiro would like to thank Y4tacker for reporting this issue.


Bug

* [SHIRO-512] - Race condition in Shiro's web container session
timeout handling
* [SHIRO-887] - FormAuthenticationFilter trims passwords which
start and/or end with one or more space character(s)

Improvement

* [SHIRO-891] - fix source jar Reproducible Builds issue
* [SHIRO-884] - fix source jar Reproducible Builds issue
* [SHIRO-885] - Use OWASP Java Encoder with OSGi manifest
* [SHIRO-890] - Avoid another proxy creator when @EnableAspectJAutoProxy
enabled
* [SHIRO-891] - Allow for direct configuration of ShiroFilter
through WebEnvironment

Behavior Changes

As of 1.10.0, Shiro may filter a request multiple times, e.g.
when including or forwarding requests.
This behavior can be reverted by setting the following property:
`shiro.filterOncePerRequest=true`


Release binaries (.jars) are also available through Maven Central
and source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation [2].


-The Apache Shiro Team

[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================