CVE-2021-41303 - Improper Authentication
Severity: Low2021-10-18
Abstract
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.
The Oxygen XML Web Author products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author 23.1 and older | Low | Oxygen XML Web
Author 24.0 build 2021101122 Oxygen XML Web Author 23.1 build 2021112409 |
Oxygen Content Fusion 4.1 and older | Low | Oxygen Content Fusion 4.1.2 build 2021112414 |
Detail
CVE-2021-41303
Severity: Critical
CVSS Score: 9.8
The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41303 vulnerability description. However, Spring Boot is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2021-41303.
Starting with Oxygen XML Web Author version 24.0, the Apache Shiro was updated to version 1.8.0, which includes a fix for CVE-2021-41303.
Revision History
2021-12-06 Starting with Oxygen XML Web Author version 23.1 build 2021112409, the Apache Shiro was updated to version 1.8.0, which includes a fix for CVE-2021-41303.
2021-12-07 Starting with Oxygen Content Fusion version 4.1 build 2021112414, the Apache Shiro was updated to version 1.8.0, which includes a fix for CVE-2021-41303.