CVE-2022-40664 - Improper Authentication
Severity: None2022-11-21
Abstract
The Shiro package is vulnerable to Improper Authentication. The doFilter() function in the OncePerRequestFilter class executes the filter once per request, even when forwarding or including via javax.servlet.RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass security restrictions and gain unauthorized access to the application.
The Oxygen products incorporate Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author v25.0.0.0 and older | None | Oxygen XML Web Author 25.0.0.1 build 2022111708 |
Oxygen Content Fusion v5.0.1 and older | None | Content Fusion 5.0.2 build 2022121305 |
Detail
CVE-2022-40664
Severity: Critical
CVSS Score: 9.8
The Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40664 vulnerability description. However, the Oxygen products doesn't call the vulnerable code. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 Shiro library was updated to a newer version that fixes this vulnerability.