Lucene search

K
debianDebianDEBIAN:DLA-2726-1:D3013
HistoryAug 02, 2021 - 10:10 p.m.

[SECURITY] [DLA 2726-1] shiro security update

2021-08-0222:10:13
lists.debian.org
25
shiro security update
cve-2020-13933
cve-2020-17510
authentication bypass
java framework

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.032

Percentile

91.4%


Debian LTS Advisory DLA-2726-1 [email protected]
https://www.debian.org/lts/security/ Roberto C. Sánchez
August 02, 2021 https://wiki.debian.org/LTS

Package : shiro
Version : 1.3.2-1+deb9u2
CVE ID : CVE-2020-13933 CVE-2020-17510
Debian Bug : 968753

It was discovered that there were two issues in shiro, a security
framework for Java applications:

CVE-2020-13933

Fix an authentication bypass resulting from a specially
crafted HTTP request.

CVE-2020-17510

Fix an authentication bypass resulting from a specially
crafted HTTP request.

For Debian 9 stretch, these problems have been fixed in version
1.3.2-1+deb9u2.

We recommend that you upgrade your shiro packages.

For the detailed security status of shiro please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/shiro

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.032

Percentile

91.4%