Vulnerability 161731 - Apache Shiro < 1.8.0 Authentication Bypass
search cancel

Vulnerability 161731 - Apache Shiro < 1.8.0 Authentication Bypass

book

Article ID: 248124

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

Vulnerability 161731 detected in ITPAM server.
"Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass."

Plugin Output: 
  Path                    : C:\Program Files\CA\PAM\activemq\lib\optional\shiro-core-1.4.1.jar
  Installed version : 1.4.1
  Fixed version      : 1.8.0

  Path                    : C:\Program Files\CA\PAM\activemq\lib\optional\shiro-spring-1.4.1.jar
  Installed version : 1.4.1
  Fixed version      : 1.8.0

Environment

Release : 4.3.X

Component : Process Automation

Cause

The reported jars belong to ActiveMQ component used by ITPAM. 
These jars are optional jars and not required for ITPAM.  

Resolution

The Upcoming major release ITPAM 4.4 will be having the version "1.9.0" as:
shiro-core-1.9.0
shiro-spring-1.9.0

As a workaround, these jars can be deleted from the installation location:
C:\Program Files\CA\PAM\activemq\lib\optional\

Powered by Wolken Software