Upgrade Apache Shiro dependency to avoid security vulnerabilities
Closed this issue · 1 comments
The latest released dropwizard-shiro artifact, which is version 0.2.0, is using Apache Shiro version 1.2.3, which is known to have two security vulnerabilities:
- As per CVE-2016-6802 and the official Shiro page:
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
- As per CVE-2016-4437 and the official Shiro page:
Apache Shiro before 1.2.5, when a cipher key has not been configured for the “remember me” feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
The way I went around forking and changing your lib was to exclude the shiro-web artifact from the dropwizard-shiro dependency, and bring it in as a separate dependency. Luckly, they seem to be compatible (no errors/issues so far).
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.secnod.dropwizard</groupId>
<artifactId>dropwizard-shiro</artifactId>
<version>0.2.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
</exclusion>
</exclusions>
</dependency>
Any plans to upgrade the Apache Shiro dependency that the actual dropwizard-shiro project is using?
I don't want to chase point releases of Apache Shiro.
Anyways, if you simply add a direct dependency from you POM to org.apache.shiro:shiro-core and org.apache.shiro:shiro-web, Maven will pick your versions.
Maybe the documentation should be more clear on this.