CVE-2020-17523 - Improper Authentication
Severity: Low2021-12-08
Abstract
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
The Oxygen XML products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion 4.1 and older | Low | Oxygen Content Fusion 4.1.2 build 2021112414 |
Detail
CVE-2020-17523
Severity: Critical
CVSS Score: 9.8
The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-17523 vulnerability description. However, Spring is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-17523.
Starting with Oxygen Content Fusion version 4.1, the Apache Shiro was updated to version 1.8, which includes a fix for CVE-2020-17523.