{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46750", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-10-25T19:11:12.143Z", "datePublished": "2023-12-14T08:15:58.031Z", "dateUpdated": "2024-08-08T13:05:17.314Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.shiro:shiro-web", "product": "Apache Shiro", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.13.0", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "2.0.0-alpha-4", "status": "affected", "version": "2.0.0-alpha-1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Claudio Villella"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.<br><span style=\"background-color: rgb(255, 255, 255);\">Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.</span></span><br>"}], "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-12-14T08:15:58.031Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"}, {"url": "https://security.netapp.com/advisory/ntap-20240808-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T13:05:17.314Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", "matchCriteriaId": "4506F25B-7525-4608-9541-2FA9A31C72BF", "versionEndExcluding": "1.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "27D6F919-851F-470D-A8E7-0F56C1EA16FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "A759179A-E4A9-4A6A-9CCB-5BB9CC73F7E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "637D39D2-0D98-4137-8D48-C6D8834E07B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n"}, {"lang": "es", "value": "Vulnerabilidad de redirecci\u00f3n de URL a un sitio que no es de confianza (\"Open Redirect\") cuando se utiliza la autenticaci\u00f3n de \"formulario\" en Apache Shiro. Mitigaci\u00f3n: actualice a Apache Shiro 1.13.0+ o 2.0.0-alpha-4+."}], "id": "CVE-2023-46750", "lastModified": "2023-12-18T20:10:48.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-14T09:15:42.107", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security@apache.org", "type": "Primary"}]}

{"bugzilla": {"description": "shiro: URL redirection to untrusted site in FORM authentication feature", "id": "2254478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254478"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-601", "details": ["URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.", "An \"Open-Redirect\" flaw was found in the Apache Shiro project. This issue may allow remote attackers to redirect legitimate users to arbitrary web sites containing malware that can compromise the user's machine and conduct phishing attacks to steal the user's credentials."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-46750", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "shiro", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "org.apache.shiro/shiro-core", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "shiro", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Will not fix", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "shiro", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2023-12-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-46750\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46750\nhttps://issues.apache.org/jira/browse/OFBIZ-12866\nhttps://lists.apache.org/thread/ff0rq7rykh6zxb7l4dronowpoxrcqkr8\nhttps://seclists.org/oss-sec/2023/q4/275\nhttps://www.mail-archive.com/notifications@ofbiz.apache.org/msg52244.html"], "threat_severity": "Moderate", "upstream_fix": "apache-shiro 1.13.0, apache-shiro 2.0.0-alpha-4"}