Spring-Boot-Shiro icon indicating copy to clipboard operation
Spring-Boot-Shiro copied to clipboard

Published 20 hours ago verified publisher icon Smith-Cruise

Dependency org.apache.shiro:shiro-web, leading to CVE problem

Open CVEDetect opened this issue 3 years ago • 1 comments

Hi, In Spring-Boot-Shiro,there is a dependency org.apache.shiro:shiro-web:1.3.2 that calls the risk method.

CVE-2020-11989

The scope of this CVE affected version is [,1.6.0)

After further analysis, in this project, the main Api called is <org.apache.shiro.web.util.WebUtils: java.lang.String getPathWithinApplication(javax.servlet.http.HttpServletRequest)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.shiro.web.util.WebUtils: java.lang.String getPathWithinApplication(javax.servlet.http.HttpServletRequest)>
at <org.apache.shiro.web.filter.PathMatchingFilter: java.lang.String getPathWithinApplication(javax.servlet.ServletRequest)> (org.apache.shiro.web.filter.PathMatchingFilter.java:[103]) in /.m2/repository/org/apache/shiro/shiro-web/1.3.2/shiro-web-1.3.2.jar
at <org.apache.shiro.web.filter.PathMatchingFilter: boolean pathsMatch(java.lang.String,javax.servlet.ServletRequest)> (org.apache.shiro.web.filter.PathMatchingFilter.java:[122]) in /.m2/repository/org/apache/shiro/shiro-web/1.3.2/shiro-web-1.3.2.jar
at <org.apache.shiro.web.filter.PathMatchingFilter: boolean preHandle(javax.servlet.ServletRequest,javax.servlet.ServletResponse)> (org.apache.shiro.web.filter.PathMatchingFilter.java:[175]) in /.m2/repository/org/apache/shiro/shiro-web/1.3.2/shiro-web-1.3.2.jar
at <org.inlighting.shiro.JWTFilter: boolean preHandle(javax.servlet.ServletRequest,javax.servlet.ServletResponse)> (org.inlighting.shiro.JWTFilter.java:[81]) in /detect/unzip/Spring-Boot-Shiro-master/target/classesc

Dependency tree--

[INFO] org.inlighting:shiro-study:jar:1.1
[INFO] +- org.slf4j:slf4j-api:jar:1.7.16:compile
[INFO] +- org.apache.shiro:shiro-spring:jar:1.3.2:compile
[INFO] |  +- org.apache.shiro:shiro-core:jar:1.3.2:compile
[INFO] |  |  \- commons-beanutils:commons-beanutils:jar:1.8.3:compile
[INFO] |  \- org.apache.shiro:shiro-web:jar:1.3.2:compile
[INFO] +- com.auth0:java-jwt:jar:3.2.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.4:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.4:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:1.5.8.RELEASE:compile
[INFO]    +- org.springframework.boot:spring-boot-starter:jar:1.5.8.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot:jar:1.5.8.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.8.RELEASE:compile
[INFO]    |  +- org.springframework.boot:spring-boot-starter-logging:jar:1.5.8.RELEASE:compile
[INFO]    |  |  +- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO]    |  |  |  \- ch.qos.logback:logback-core:jar:1.1.11:compile
[INFO]    |  |  +- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO]    |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO]    |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
[INFO]    |  +- org.springframework:spring-core:jar:4.3.12.RELEASE:compile
[INFO]    |  \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO]    +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.8.RELEASE:compile
[INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.23:compile
[INFO]    |  |  \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.23:compile
[INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.23:compile
[INFO]    |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.23:compile
[INFO]    +- org.hibernate:hibernate-validator:jar:5.3.5.Final:compile
[INFO]    |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO]    |  +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO]    |  \- com.fasterxml:classmate:jar:1.3.1:compile
[INFO]    +- org.springframework:spring-web:jar:4.3.12.RELEASE:compile
[INFO]    |  +- org.springframework:spring-aop:jar:4.3.12.RELEASE:compile
[INFO]    |  +- org.springframework:spring-beans:jar:4.3.12.RELEASE:compile
[INFO]    |  \- org.springframework:spring-context:jar:4.3.12.RELEASE:compile
[INFO]    \- org.springframework:spring-webmvc:jar:4.3.12.RELEASE:compile
[INFO]       \- org.springframework:spring-expression:jar:4.3.12.RELEASE:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect avatar Oct 06 '21 04:10 CVEDetect

@Smith-Cruise Could please help me check this issue? May I pull a request to fix it? Thanks again.

CVEDetect avatar Oct 06 '21 04:10 CVEDetect