CVE-2020-17523 - Improper Authentication

Severity: Low2021-12-08

Security Advisories

Abstract

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

The Oxygen XML products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion 4.1 and olderLow Oxygen Content Fusion 4.1.2 build 2021112414

Mitigation

None

Detail

CVE-2020-17523

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-17523 vulnerability description. However, Spring is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-17523.

Starting with Oxygen Content Fusion version 4.1, the Apache Shiro was updated to version 1.8, which includes a fix for CVE-2020-17523.

List of Security Advisories