CVE-2022-40664 - Improper Authentication

Severity: None2022-11-21

Security Advisories

Abstract

The Shiro package is vulnerable to Improper Authentication. The doFilter() function in the OncePerRequestFilter class executes the filter once per request, even when forwarding or including via javax.servlet.RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass security restrictions and gain unauthorized access to the application.

The Oxygen products incorporate Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v25.0.0.0 and olderNone Oxygen XML Web Author 25.0.0.1 build 2022111708
Oxygen Content Fusion v5.0.1 and olderNone Content Fusion 5.0.2 build 2022121305

Mitigation

None

Detail

CVE-2022-40664

Severity: Critical

CVSS Score: 9.8

The Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40664 vulnerability description. However, the Oxygen products doesn't call the vulnerable code. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 Shiro library was updated to a newer version that fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Declarative Amsterdam 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor