CVE-2023-34478 - Authentication Bypass
Severity: Critical2023-11-09
Abstract
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
The Oxygen products incorporate Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author v25.1.0.1 and older | Critical | Oxygen XML Web Author 26.0.0 build 2023101015 |
Oxygen Content Fusion v5.1.1 and older | Critical | Oxygen Content Fusion 6.0 build 2023110109 |
Detail
CVE-2023-34478
Severity: Critical
CVSS Score: 9.8
The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34478 vulnerability description.
Starting with Oxygen XML Web Author 26.0.0 build 2023101015 Apache Shiro library was updated to a version which fixes this vulnerability.
Starting with Oxygen Content Fusion 6.0 build 2023110109 Apache Shiro library was updated to a version which fixes this vulnerability.