On July 24, 2023, Apache Shiro released an updated version to fix an authentication bypass vulnerability, vulnerability number: CVE-2023-34478, vulnerability hazard level: high risk.
Apache Shiro versions prior to 1.12.0 and prior to 2.0.0-alpha-3 are vulnerable to path traversal attacks, which can lead to authentication bypasses when used with APIs or other web frameworks that route requests based on denormalized requests.
JeecgBoot has been officially repaired. It is recommended that you upgrade to Apache Shiro version 1.12.0 as soon as possible.
1. Vulnerability description
Apache Shiro releases an updated version, which fixes an authentication bypass vulnerability, vulnerability number: CVE-2023-34478, vulnerability hazard level: high risk
2. Scope of influence
- Apache Shiro version < 1.12.0
- Apache Shiro version < 2.0.0-alpha-3
3. Security measures 3.1 upgrade version
At present, the vulnerability has been fixed, and affected users can upgrade to the following versions:
- Apache Shiro version >= 1.12.0
- Apache Shiro version >= 2.0.0-alpha-3
Download link:
https://github.com/apache/shiro/tags
Four, JeecgBoot repair program
Just upgrade the shiro version in jeecg-boot/pom.xml to 1.12.0, as shown below: