Vulnerability-Lookup

CVE-2022-40664 (GCVE-0-2022-40664)

Vulnerability from cvelistv5 – Published: 2022-10-12 00:00 – Updated: 2025-05-15 15:02

Title

Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher

Summary

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-287 - Improper Authentication

Assigner

apache

References

5 references

URL	Tags
https://lists.apache.org/thread/loc2ktxng32xpy7lf…
http://www.openwall.com/lists/oss-security/2022/10/12/1	mailing-list
http://www.openwall.com/lists/oss-security/2022/10/12/2	mailing-list
http://www.openwall.com/lists/oss-security/2022/10/13/1	mailing-list
https://security.netapp.com/advisory/ntap-2022111…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Shiro	Affected: Apache Shiro , < 1.10.0 (custom)

Credits

Apache Shiro would like to thank Y4tacker for reporting this issue

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:21:46.341Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
          },
          {
            "name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
          },
          {
            "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
          },
          {
            "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-40664",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-15T15:02:13.459494Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-15T15:02:41.513Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Shiro",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "1.10.0",
              "status": "affected",
              "version": "Apache Shiro",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Shiro would like to thank Y4tacker for reporting this issue"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-18T00:00:00.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
        },
        {
          "name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
        },
        {
          "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
        },
        {
          "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-40664",
    "datePublished": "2022-10-12T00:00:00.000Z",
    "dateReserved": "2022-09-13T00:00:00.000Z",
    "dateUpdated": "2025-05-15T15:02:41.513Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-40664",
      "date": "2026-05-26",
      "epss": "0.00708",
      "percentile": "0.72372"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.10.0\", \"matchCriteriaId\": \"2D80A654-E0DF-4E5D-8EB7-819A50F76F26\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.\"}, {\"lang\": \"es\", \"value\": \"Apache Shiro versiones anteriores a 1.10.0, una vulnerabilidad de Omisi\\u00f3n de Autenticaci\\u00f3n en Shiro cuando es reenviado o es incluida por medio de RequestDispatcher\"}]",
      "id": "CVE-2022-40664",
      "lastModified": "2024-11-21T07:21:49.007",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2022-10-12T07:15:09.100",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/1\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/2\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/13/1\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221118-0005/\", \"source\": \"security@apache.org\", \"tags\": [\"Broken Link\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/13/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221118-0005/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-40664\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-10-12T07:15:09.100\",\"lastModified\":\"2025-05-15T15:16:02.937\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.\"},{\"lang\":\"es\",\"value\":\"Apache Shiro versiones anteriores a 1.10.0, una vulnerabilidad de Omisi\u00f3n de Autenticaci\u00f3n en Shiro cuando es reenviado o es incluida por medio de RequestDispatcher\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.0\",\"matchCriteriaId\":\"2D80A654-E0DF-4E5D-8EB7-819A50F76F26\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/10/12/1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/10/12/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/10/13/1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20221118-0005/\",\"source\":\"security@apache.org\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/10/12/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/10/12/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/10/13/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20221118-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/1\", \"name\": \"[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/2\", \"name\": \"[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/13/1\", \"name\": \"[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221118-0005/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:21:46.341Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-40664\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-15T15:02:13.459494Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-15T15:02:34.825Z\"}}], \"cna\": {\"title\": \"Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Apache Shiro would like to thank Y4tacker for reporting this issue\"}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Shiro\", \"versions\": [{\"status\": \"affected\", \"version\": \"Apache Shiro\", \"lessThan\": \"1.10.0\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/1\", \"name\": \"[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/2\", \"name\": \"[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/10/13/1\", \"name\": \"[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221118-0005/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287 Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2022-11-18T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-40664\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-15T15:02:41.513Z\", \"dateReserved\": \"2022-09-13T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-10-12T00:00:00.000Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2023-AVI-0012

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans IBM Sterling. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Sterling	IBM Sterling Partner Engagement Manager (éditions Essentials et Standard) versions 6.2.1.x antérieures à 6.2.1.2
IBM	Sterling	IBM Sterling B2B Integrator versions 6.1.0.x antérieures à 6.1.0.6
IBM	Sterling	IBM Sterling Partner Engagement Manager (éditions Essentials et Standard) versions 6.1.2.x antérieures à 6.1.2.7
IBM	Sterling	IBM Sterling B2B Integrator versions 6.0.x antérieures à 6.0.3.7
IBM	Sterling	IBM Sterling B2B Integrator versions 6.1.2.x antérieures à 6.1.2.1
IBM	Sterling	IBM Sterling Partner Engagement Manager (éditions Essentials et Standard) versions 6.2.0.x antérieures à 6.2.0.5
IBM	Sterling	IBM Sterling B2B Integrator versions 6.1.1.x antérieures à 6.1.1.3

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6854335 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854339 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854329 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854325 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854327 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854333 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854331 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6853637 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854337 du 09 janvier 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Sterling Partner Engagement Manager (\u00e9ditions Essentials et Standard) versions 6.2.1.x ant\u00e9rieures \u00e0 6.2.1.2",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.1.0.x ant\u00e9rieures \u00e0 6.1.0.6",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling Partner Engagement Manager (\u00e9ditions Essentials et Standard) versions 6.1.2.x ant\u00e9rieures \u00e0 6.1.2.7",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.0.x ant\u00e9rieures \u00e0 6.0.3.7",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.1.2.x ant\u00e9rieures \u00e0 6.1.2.1",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling Partner Engagement Manager (\u00e9ditions Essentials et Standard) versions 6.2.0.x ant\u00e9rieures \u00e0 6.2.0.5",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.1.1.x ant\u00e9rieures \u00e0 6.1.1.3",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-19361",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
    },
    {
      "name": "CVE-2019-12384",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12384"
    },
    {
      "name": "CVE-2022-40664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40664"
    },
    {
      "name": "CVE-2022-40615",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40615"
    },
    {
      "name": "CVE-2022-34335",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-34335"
    },
    {
      "name": "CVE-2022-31692",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31692"
    },
    {
      "name": "CVE-2019-20330",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
    },
    {
      "name": "CVE-2020-8840",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
    },
    {
      "name": "CVE-2022-34305",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-34305"
    },
    {
      "name": "CVE-2021-30129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
    },
    {
      "name": "CVE-2018-14720",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-14720"
    },
    {
      "name": "CVE-2020-36518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
    },
    {
      "name": "CVE-2022-31690",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31690"
    },
    {
      "name": "CVE-2022-21541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21541"
    },
    {
      "name": "CVE-2022-21540",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21540"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0012",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Sterling.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Sterling",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854335 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854335"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854339 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854339"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854329 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854329"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854325 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854325"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854327 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854327"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854333 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854333"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854331 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854331"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6853637 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6853637"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854337 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854337"
    }
  ]
}

CERTFR-2023-AVI-0205

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans IBM WebSphere. Elles permettent à un attaquant de provoquer un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	WebSphere	IBM WebSphere Service Registry and Repository versions 8.5.0 à 8.5.6.3 sans les correctifs de sécurité IJ40949 et IJ45702

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6962169 du 08 mars 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM WebSphere Service Registry and Repository versions 8.5.0 \u00e0 8.5.6.3 sans les correctifs de s\u00e9curit\u00e9 IJ40949 et IJ45702",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-40664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40664"
    },
    {
      "name": "CVE-2023-24998",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0205",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-03-09T00:00:00.000000"
    },
    {
      "description": "Suppression d\u0027une source",
      "revision_date": "2023-03-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eIBM WebSphere\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer un d\u00e9ni de service \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM WebSphere",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6962169 du 08 mars 2023",
      "url": "https://www.ibm.com/support/pages/node/6962169"
    }
  ]
}

CERTFR-2023-AVI-0263

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans IBM Cognos. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, un déni de service à distance et une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	Cognos Analytics	IBM Cognos Analytics versions 11.1.x antérieures à 11.1.7 Fix Pack 6
	IBM	Cognos Analytics	IBM Cognos Analytics versions 11.2.x antérieures à 11.2.4 Fix Pack 1

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6965290 du 24 mars 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Cognos Analytics versions 11.1.x ant\u00e9rieures \u00e0 11.1.7 Fix Pack 6",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.4 Fix Pack 1",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2022-40664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40664"
    },
    {
      "name": "CVE-2020-7789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7789"
    },
    {
      "name": "CVE-2020-7598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7598"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0263",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-03-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eIBM Cognos\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer un contournement de la politique de s\u00e9curit\u00e9, un d\u00e9ni de\nservice \u00e0 distance et une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Cognos",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6965290 du 24 mars 2023",
      "url": "https://www.ibm.com/support/pages/node/6965290"
    }
  ]
}

CERTFR-2023-AVI-0012

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Sterling	IBM Sterling Partner Engagement Manager (éditions Essentials et Standard) versions 6.2.1.x antérieures à 6.2.1.2
IBM	Sterling	IBM Sterling B2B Integrator versions 6.1.0.x antérieures à 6.1.0.6
IBM	Sterling	IBM Sterling Partner Engagement Manager (éditions Essentials et Standard) versions 6.1.2.x antérieures à 6.1.2.7
IBM	Sterling	IBM Sterling B2B Integrator versions 6.0.x antérieures à 6.0.3.7
IBM	Sterling	IBM Sterling B2B Integrator versions 6.1.2.x antérieures à 6.1.2.1
IBM	Sterling	IBM Sterling Partner Engagement Manager (éditions Essentials et Standard) versions 6.2.0.x antérieures à 6.2.0.5
IBM	Sterling	IBM Sterling B2B Integrator versions 6.1.1.x antérieures à 6.1.1.3

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6854335 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854339 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854329 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854325 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854327 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854333 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854331 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6853637 du 09 janvier 2023	None	vendor-advisory
Bulletin de sécurité IBM 6854337 du 09 janvier 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Sterling Partner Engagement Manager (\u00e9ditions Essentials et Standard) versions 6.2.1.x ant\u00e9rieures \u00e0 6.2.1.2",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.1.0.x ant\u00e9rieures \u00e0 6.1.0.6",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling Partner Engagement Manager (\u00e9ditions Essentials et Standard) versions 6.1.2.x ant\u00e9rieures \u00e0 6.1.2.7",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.0.x ant\u00e9rieures \u00e0 6.0.3.7",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.1.2.x ant\u00e9rieures \u00e0 6.1.2.1",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling Partner Engagement Manager (\u00e9ditions Essentials et Standard) versions 6.2.0.x ant\u00e9rieures \u00e0 6.2.0.5",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Sterling B2B Integrator versions 6.1.1.x ant\u00e9rieures \u00e0 6.1.1.3",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-19361",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
    },
    {
      "name": "CVE-2019-12384",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12384"
    },
    {
      "name": "CVE-2022-40664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40664"
    },
    {
      "name": "CVE-2022-40615",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40615"
    },
    {
      "name": "CVE-2022-34335",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-34335"
    },
    {
      "name": "CVE-2022-31692",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31692"
    },
    {
      "name": "CVE-2019-20330",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
    },
    {
      "name": "CVE-2020-8840",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
    },
    {
      "name": "CVE-2022-34305",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-34305"
    },
    {
      "name": "CVE-2021-30129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
    },
    {
      "name": "CVE-2018-14720",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-14720"
    },
    {
      "name": "CVE-2020-36518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
    },
    {
      "name": "CVE-2022-31690",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31690"
    },
    {
      "name": "CVE-2022-21541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21541"
    },
    {
      "name": "CVE-2022-21540",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21540"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0012",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Sterling.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Sterling",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854335 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854335"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854339 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854339"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854329 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854329"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854325 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854325"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854327 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854327"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854333 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854333"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854331 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854331"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6853637 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6853637"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6854337 du 09 janvier 2023",
      "url": "https://www.ibm.com/support/pages/node/6854337"
    }
  ]
}

CERTFR-2023-AVI-0205

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	WebSphere	IBM WebSphere Service Registry and Repository versions 8.5.0 à 8.5.6.3 sans les correctifs de sécurité IJ40949 et IJ45702

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6962169 du 08 mars 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM WebSphere Service Registry and Repository versions 8.5.0 \u00e0 8.5.6.3 sans les correctifs de s\u00e9curit\u00e9 IJ40949 et IJ45702",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-40664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40664"
    },
    {
      "name": "CVE-2023-24998",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0205",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-03-09T00:00:00.000000"
    },
    {
      "description": "Suppression d\u0027une source",
      "revision_date": "2023-03-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eIBM WebSphere\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer un d\u00e9ni de service \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM WebSphere",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6962169 du 08 mars 2023",
      "url": "https://www.ibm.com/support/pages/node/6962169"
    }
  ]
}

CERTFR-2023-AVI-0263

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	Cognos Analytics	IBM Cognos Analytics versions 11.1.x antérieures à 11.1.7 Fix Pack 6
	IBM	Cognos Analytics	IBM Cognos Analytics versions 11.2.x antérieures à 11.2.4 Fix Pack 1

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6965290 du 24 mars 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Cognos Analytics versions 11.1.x ant\u00e9rieures \u00e0 11.1.7 Fix Pack 6",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.4 Fix Pack 1",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2022-40664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40664"
    },
    {
      "name": "CVE-2020-7789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7789"
    },
    {
      "name": "CVE-2020-7598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7598"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0263",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-03-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eIBM Cognos\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer un contournement de la politique de s\u00e9curit\u00e9, un d\u00e9ni de\nservice \u00e0 distance et une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Cognos",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6965290 du 24 mars 2023",
      "url": "https://www.ibm.com/support/pages/node/6965290"
    }
  ]
}

CNVD-2022-68497

Vulnerability from cnvd - Published: 2022-10-13

Title

Apache Shiro身份验证绕过漏洞（CNVD-2022-68497）

Description

Apache Shiro是一个Java安全框架，它具有身份验证、访问授权、数据加密、会话管理等功能。 Apache Shiro存在身份验证绕过漏洞，该漏洞是由于当通过RequestDispatcher接口进行请求转发或请求包含时导致的，目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Apache Shiro身份验证绕过漏洞（CNVD-2022-68497）的补丁

Patch Description

Apache Shiro是一个Java安全框架，它具有身份验证、访问授权、数据加密、会话管理等功能。 Apache Shiro存在身份验证绕过漏洞，该漏洞是由于当通过RequestDispatcher接口进行请求转发或请求包含时导致的，目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://shiro.apache.org/download.html

Reference

https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg https://shiro.apache.org/documentation.html

Impacted products

Name
Apache Shiro < 1.10.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-40664"
    }
  },
  "description": "Apache Shiro\u662f\u4e00\u4e2aJava\u5b89\u5168\u6846\u67b6\uff0c\u5b83\u5177\u6709\u8eab\u4efd\u9a8c\u8bc1\u3001\u8bbf\u95ee\u6388\u6743\u3001\u6570\u636e\u52a0\u5bc6\u3001\u4f1a\u8bdd\u7ba1\u7406\u7b49\u529f\u80fd\u3002\n\nApache Shiro\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u5f53\u901a\u8fc7RequestDispatcher\u63a5\u53e3\u8fdb\u884c\u8bf7\u6c42\u8f6c\u53d1\u6216\u8bf7\u6c42\u5305\u542b\u65f6\u5bfc\u81f4\u7684\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://shiro.apache.org/download.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-68497",
  "openTime": "2022-10-13",
  "patchDescription": "Apache Shiro\u662f\u4e00\u4e2aJava\u5b89\u5168\u6846\u67b6\uff0c\u5b83\u5177\u6709\u8eab\u4efd\u9a8c\u8bc1\u3001\u8bbf\u95ee\u6388\u6743\u3001\u6570\u636e\u52a0\u5bc6\u3001\u4f1a\u8bdd\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nApache Shiro\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u5f53\u901a\u8fc7RequestDispatcher\u63a5\u53e3\u8fdb\u884c\u8bf7\u6c42\u8f6c\u53d1\u6216\u8bf7\u6c42\u5305\u542b\u65f6\u5bfc\u81f4\u7684\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Shiro\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2022-68497\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Shiro \u003c 1.10.0"
  },
  "referenceLink": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\r\nhttps://shiro.apache.org/documentation.html",
  "serverity": "\u9ad8",
  "submitTime": "2022-10-13",
  "title": "Apache Shiro\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2022-68497\uff09"
}

FKIE_CVE-2022-40664

Vulnerability from fkie_nvd - Published: 2022-10-12 07:15 - Updated: 2025-05-15 15:16

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2022/10/12/1	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2022/10/12/2	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2022/10/13/1	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg	Mailing List, Release Notes, Vendor Advisory
security@apache.org	https://security.netapp.com/advisory/ntap-20221118-0005/	Broken Link, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/10/12/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/10/12/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/10/13/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg	Mailing List, Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20221118-0005/	Broken Link, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	shiro	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2D80A654-E0DF-4E5D-8EB7-819A50F76F26",
              "versionEndExcluding": "1.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
    },
    {
      "lang": "es",
      "value": "Apache Shiro versiones anteriores a 1.10.0, una vulnerabilidad de Omisi\u00f3n de Autenticaci\u00f3n en Shiro cuando es reenviado o es incluida por medio de RequestDispatcher"
    }
  ],
  "id": "CVE-2022-40664",
  "lastModified": "2025-05-15T15:16:02.937",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-10-12T07:15:09.100",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

GHSA-45X9-Q6VJ-CQGQ

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2022-10-13 20:11

Summary

Apache Shiro Authentication Bypass vulnerability

Details

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

Severity

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shiro:shiro-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-40664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-12T19:43:15Z",
    "nvd_published_at": "2022-10-12T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.",
  "id": "GHSA-45x9-q6vj-cqgq",
  "modified": "2022-10-13T20:11:12Z",
  "published": "2022-10-12T12:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40664"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/shiro"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221118-0005"
    },
    {
      "type": "WEB",
      "url": "https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Shiro Authentication Bypass vulnerability"
}

GSD-2022-40664

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

Aliases

CVE-2022-40664

Aliases

CVE-2022-40664

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-40664",
    "id": "GSD-2022-40664"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-40664"
      ],
      "details": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.",
      "id": "GSD-2022-40664",
      "modified": "2023-12-13T01:19:31.253468Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-40664",
        "STATE": "PUBLIC",
        "TITLE": "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Shiro",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache Shiro",
                          "version_value": "1.10.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Apache Shiro would like to thank Y4tacker for reporting this issue"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {}
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-287 Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
          },
          {
            "name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
          },
          {
            "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
          },
          {
            "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20221118-0005/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.10.0)",
          "affected_versions": "All versions before 1.10.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-02-02",
          "description": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.",
          "fixed_versions": [
            "1.10.0"
          ],
          "identifier": "CVE-2022-40664",
          "identifiers": [
            "CVE-2022-40664"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.shiro/shiro-all",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 1.10.0 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40664",
            "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg",
            "http://www.openwall.com/lists/oss-security/2022/10/12/1",
            "http://www.openwall.com/lists/oss-security/2022/10/12/2",
            "http://www.openwall.com/lists/oss-security/2022/10/13/1"
          ],
          "uuid": "1afd3d2f-6da0-4dba-a0ef-d7e80e388331"
        },
        {
          "affected_range": "(,1.10.0)",
          "affected_versions": "All versions before 1.10.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-02-02",
          "description": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.",
          "fixed_versions": [
            "1.10.0"
          ],
          "identifier": "CVE-2022-40664",
          "identifiers": [
            "CVE-2022-40664"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.shiro/shiro-core",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 1.10.0 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40664",
            "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg",
            "http://www.openwall.com/lists/oss-security/2022/10/12/1",
            "http://www.openwall.com/lists/oss-security/2022/10/12/2",
            "http://www.openwall.com/lists/oss-security/2022/10/13/1"
          ],
          "uuid": "58321a39-a022-40a8-8a65-db3e74627f5a"
        },
        {
          "affected_range": "(,1.10.0)",
          "affected_versions": "All versions before 1.10.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-02-02",
          "description": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.",
          "fixed_versions": [
            "1.10.0"
          ],
          "identifier": "CVE-2022-40664",
          "identifiers": [
            "CVE-2022-40664"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.shiro/shiro-spring-boot-web-starter",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 1.10.0 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40664",
            "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg",
            "http://www.openwall.com/lists/oss-security/2022/10/12/1",
            "http://www.openwall.com/lists/oss-security/2022/10/12/2",
            "http://www.openwall.com/lists/oss-security/2022/10/13/1"
          ],
          "uuid": "352e493d-1c1e-46bc-b0b0-044966078844"
        },
        {
          "affected_range": "(,1.10.0)",
          "affected_versions": "All versions before 1.10.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-02-02",
          "description": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.",
          "fixed_versions": [
            "1.10.0"
          ],
          "identifier": "CVE-2022-40664",
          "identifiers": [
            "CVE-2022-40664"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.shiro/shiro-web",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 1.10.0 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40664",
            "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg",
            "http://www.openwall.com/lists/oss-security/2022/10/12/1",
            "http://www.openwall.com/lists/oss-security/2022/10/12/2",
            "http://www.openwall.com/lists/oss-security/2022/10/13/1"
          ],
          "uuid": "283f750b-2ec6-4562-a9af-2e3db11132ee"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.10.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-40664"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Mailing List",
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
            },
            {
              "name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
            },
            {
              "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
            },
            {
              "name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20221118-0005/",
              "refsource": "CONFIRM",
              "tags": [
                "Broken Link",
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-02-02T18:48Z",
      "publishedDate": "2022-10-12T07:15Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-40664 (GCVE-0-2022-40664)

Solution

Solution

Solution

Solution

Solution

Solution

Tags

Sightings

Nomenclature