First published: Wed Dec 13 2023(Updated: )
Apache Shiro could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability when "form" authentication is used. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Shiro | <1.13.0 | |
Apache Shiro | =2.0.0-alpha1 | |
Apache Shiro | =2.0.0-alpha2 | |
Apache Shiro | =2.0.0-alpha3 | |
maven/org.apache.shiro:shiro-web | >=2.0.0-alpha-1<2.0.0-alpha-4 | 2.0.0-alpha-4 |
maven/org.apache.shiro:shiro-web | <1.13.0 | 1.13.0 |
IBM Cognos Analytics | <=12.0.0-12.0.2 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
debian/shiro | <=1.3.2-4+deb11u1<=1.3.2-5 | |
<1.13.0 | ||
=2.0.0-alpha1 | ||
=2.0.0-alpha2 | ||
=2.0.0-alpha3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-46750 is an 'Open Redirect' vulnerability in Apache Shiro that allows for URL redirection to untrusted sites when 'form' authentication is used.
To mitigate CVE-2023-46750, update to Apache Shiro version 1.13.0 or 2.0.0-alpha-4 or higher.