Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 10/11/22 19:52, Brian Demers wrote:
> Description:
>
> Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in
> Shiro when forwarding or including via RequestDispatcher.
>
> Credit:
>
> Apache Shiro would like to thank Y4tacker for reporting this issue

Thanks for informing oss-security of these issues, but good security
announcements have a little more detail, like what actions users or
distributors need to take (upgrade to a new version?  what version?)
and information on where to find more details, like a bug id in your
bug tracker.  If you look at the announcements from other Apache
projects, you'll see they often include those.

Some good examples:
https://www.openwall.com/lists/oss-security/2021/12/18/2
https://www.openwall.com/lists/oss-security/2022/01/05/4
https://www.openwall.com/lists/oss-security/2022/01/06/2

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris