Apache ShiroÑéÖ¤ÈƹýÎó²î£¨CVE-2020-17523£©

Ðû²¼Ê±¼ä 2021-02-02

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2020-17523

ʱ  ¼ä

2021-02-02

Àà   ÐÍ

ÑéÖ¤Èƹý

µÈ  ¼¶

ÖÐΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

Apache Shiro < 1.7.1

 

0x01 Îó²îÏêÇé

image.png

 

Apache ShiroÊÇÒ»¸öÇ¿Ê¢ÇÒÒ×ÓõÄJavaÇå¾²¿ò¼Ü,ÆäÖ§³ÖÉí·ÝÑéÖ¤¡¢ÊÚȨ¡¢ÃÜÂëºÍ»á»°ÖÎÀíµÈ¡£ ¡£¡£¡£¡£Ê¹ÓÃShiroµÄAPI¿ÉÒÔ¿ìËÙ¡¢ÇáËɵػñµÃÈκÎÓ¦ÓóÌÐò¡£ ¡£¡£¡£¡£

2021Äê02ÔÂ01ÈÕ£¬£¬£¬Apache ShiroÐû²¼1.7.1°æ±¾£¬£¬£¬ÐÞ¸´ÁË Apache Shiro ÖеÄÒ»¸öÉí·ÝÑéÖ¤ÈƹýÎó²î£¨CVE-2020-17523£©¡£ ¡£¡£¡£¡£µ±Apache ShiroÓëSpringÁ¬ÏµÊ¹ÓÃʱ£¬£¬£¬¹¥»÷Õß¿ÉÒÔʹÓöñÒâHTTPÇëÇóÀ´ÈƹýShiroµÄÉí·ÝÈÏÖ¤¡£ ¡£¡£¡£¡£ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÒÔÈƹýÉí·ÝÑéÖ¤£¬£¬£¬Àֳɻá¼ûºǫ́¡£ ¡£¡£¡£¡£

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ¸ÃÎó²îÒѱ»ÐÞ¸´£¬£¬£¬½¨ÒéÉý¼¶ÖÁApache Shiro 1.7.1¡£ ¡£¡£¡£¡£

ÏÂÔØÁ´½Ó£º

https://shiro.apache.org/download.html

 

0x03 ²Î¿¼Á´½Ó

https://lists.apache.org/thread.html/r13fe9ddc4ebdbf17db22cf1dd2776144bf9fdbfbdf2887a0385538aa%40%3Ccommits.shiro.apache.org%3E

https://shiro.apache.org/news.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17523

 

0x04 ʱ¼äÏß

2021-02-01  Apache ShiroÐû²¼Çå¾²¸üÐÂ

2021-02-02  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png