Hi, In /nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-thymeleaf-shiro,there is a dependency org.apache.shiro:shiro-web:1.3.2 that calls the risk method.
CVE-2020-13933
The scope of this CVE affected version is [,1.6.0)
After further analysis, in this project, the main Api called is org.apache.shiro.web.mgt.CookieRememberMeManager: getRememberedSerializedIdentity(org.apache.shiro.subject.SubjectContext)[B
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 8
CVE Bug Invocation Path :
io.nutz.demo.simple.module.UserModule: login(java.lang.String,java.lang.String,javax.servlet.http.HttpSession)Z
org.apache.shiro.SecurityUtils: getSubject()Lorg.apache.shiro.subject.Subject; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.subject.Subject$Builder: buildSubject()Lorg.apache.shiro.subject.Subject; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.DefaultSecurityManager: createSubject(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.Subject; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.DefaultSecurityManager: resolvePrincipals(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.SubjectContext; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.DefaultSecurityManager: getRememberedIdentity(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.PrincipalCollection; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.AbstractRememberMeManager: getRememberedPrincipals(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.PrincipalCollection; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.web.mgt.CookieRememberMeManager: getRememberedSerializedIdentity(org.apache.shiro.subject.SubjectContext)[B
Dependency tree--
[INFO] org.nutz:nutzboot-demo-simple-thymeleaf-shiro:jar:2.5.0-SNAPSHOT
[INFO] +- org.nutz:nutzboot-starter-thymeleaf:jar:2.5.0-SNAPSHOT:compile
[INFO] | \- org.thymeleaf:thymeleaf:jar:3.0.11.RELEASE:compile
[INFO] | +- ognl:ognl:jar:3.1.12:compile
[INFO] | | \- org.javassist:javassist:jar:3.24.0-GA:compile
[INFO] | +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] | \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] +- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:2.2.2:compile
[INFO] | +- nz.net.ultraq.thymeleaf:thymeleaf-expression-processor:jar:1.1.3:compile
[INFO] | \- org.codehaus.groovy:groovy:jar:2.4.6:compile
[INFO] +- org.nutz:nutzboot-starter-nutz-mvc:jar:2.5.0-SNAPSHOT:compile
[INFO] +- org.nutz:nutzboot-starter-nutz-dao:jar:2.5.0-SNAPSHOT:compile
[INFO] | \- org.nutz:nutz-plugins-daocache:jar:1.r.69-SNAPSHOT:compile
[INFO] +- org.nutz:nutzboot-starter-jdbc:jar:2.5.0-SNAPSHOT:compile
[INFO] | \- com.alibaba:druid:jar:1.2.11:compile
[INFO] +- org.nutz:nutzboot-starter-shiro:jar:2.5.0-SNAPSHOT:compile
[INFO] | +- org.nutz:nutz-integration-shiro:jar:1.r.69-SNAPSHOT:compile
[INFO] | | \- org.slf4j:jcl-over-slf4j:jar:1.7.30:compile
[INFO] | +- org.apache.shiro:shiro-web:jar:1.3.2:compile
[INFO] | | \- org.apache.shiro:shiro-core:jar:1.3.2:compile
[INFO] | | \- commons-beanutils:commons-beanutils:jar:1.8.3:compile
[INFO] | +- org.apache.shiro:shiro-ehcache:jar:1.3.2:compile
[INFO] | +- net.sf.ehcache:ehcache:jar:2.10.4:compile
[INFO] | \- org.nutz:nutz-plugins-cache:jar:1.r.69-SNAPSHOT:compile
[INFO] | \- org.nutz:nutz-integration-jedis:jar:1.r.69-SNAPSHOT:compile
[INFO] +- org.nutz:nutzboot-starter-jetty:jar:2.5.0-SNAPSHOT:compile
[INFO] | +- org.eclipse.jetty:jetty-servlets:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty:jetty-continuation:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty:jetty-http:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty:jetty-util:jar:9.4.48.v20220622:compile
[INFO] | | \- org.eclipse.jetty:jetty-io:jar:9.4.48.v20220622:compile
[INFO] | +- org.eclipse.jetty:jetty-webapp:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty:jetty-xml:jar:9.4.48.v20220622:compile
[INFO] | | \- org.eclipse.jetty:jetty-servlet:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty:jetty-security:jar:9.4.48.v20220622:compile
[INFO] | | | \- org.eclipse.jetty:jetty-server:jar:9.4.48.v20220622:compile
[INFO] | | \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.48.v20220622:compile
[INFO] | +- org.eclipse.jetty.websocket:websocket-server:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty.websocket:websocket-common:jar:9.4.48.v20220622:compile
[INFO] | | | \- org.eclipse.jetty.websocket:websocket-api:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty.websocket:websocket-client:jar:9.4.48.v20220622:compile
[INFO] | | | \- org.eclipse.jetty:jetty-client:jar:9.4.48.v20220622:compile
[INFO] | | \- org.eclipse.jetty.websocket:websocket-servlet:jar:9.4.48.v20220622:compile
[INFO] | +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.48.v20220622:compile
[INFO] | | +- org.eclipse.jetty:jetty-annotations:jar:9.4.48.v20220622:compile
[INFO] | | | +- org.eclipse.jetty:jetty-plus:jar:9.4.48.v20220622:compile
[INFO] | | | \- org.ow2.asm:asm-commons:jar:8.0.1:compile
[INFO] | | | +- org.ow2.asm:asm-tree:jar:8.0.1:compile
[INFO] | | | \- org.ow2.asm:asm-analysis:jar:8.0.1:compile
[INFO] | | +- org.eclipse.jetty.websocket:javax-websocket-client-impl:jar:9.4.48.v20220622:compile
[INFO] | | | \- javax.websocket:javax.websocket-client-api:jar:1.0:compile
[INFO] | | \- javax.websocket:javax.websocket-api:jar:1.0:compile
[INFO] | +- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] | +- org.nutz:nutz-plugins-websocket:jar:1.r.69-SNAPSHOT:compile
[INFO] | +- org.nutz:nutzboot-servlet3:jar:2.5.0-SNAPSHOT:compile
[INFO] | | \- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] | \- org.ow2.asm:asm:jar:8.0.1:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.30:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] | \- log4j:log4j:jar:1.2.17:compile
[INFO] +- com.h2database:h2:jar:1.4.196:compile
[INFO] +- com.github.theborakompanioni:thymeleaf-extras-shiro:jar:2.0.0:compile
[INFO] \- org.nutz:nutzboot-core:jar:2.5.0-SNAPSHOT:compile
[INFO] +- org.nutz:nutz:jar:1.r.69-SNAPSHOT:compile
[INFO] +- org.yaml:snakeyaml:jar:1.28:compile
[INFO] \- javax.servlet:javax.servlet-api:jar:3.1.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-thymeleaf-shiro,there is a dependency org.apache.shiro:shiro-web:1.3.2 that calls the risk method.
CVE-2020-13933
The scope of this CVE affected version is [,1.6.0)
After further analysis, in this project, the main Api called is org.apache.shiro.web.mgt.CookieRememberMeManager: getRememberedSerializedIdentity(org.apache.shiro.subject.SubjectContext)[B
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 8
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.