Apache Shiro vulnerability for versions < 1.10.0

rclemens · November 3, 2022, 9:17pm

Hi SonaType Team

Our vuln scanner caught the recent finding for Shiro
https://nvd.nist.gov/vuln/detail/CVE-2022-40664
https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg

Specifically, the following jars
/srv/nexus-3.38.0-01/system/org/apache/shiro/shiro-core/1.8.0/shiro-core-1.8.0.jar
/srv/nexus-3.38.0-01/system/org/apache/shiro/shiro-guice/1.8.0/shiro-guice-1.8.0.jar
/srv/nexus-3.38.0-01/system/org/apache/shiro/shiro-web/1.8.0/shiro-web-1.8.0.jar

When can we expect a build to resolve the finding?
Thanks

mmartz · November 3, 2022, 9:24pm

From what I understand next release should be soon and it contains the upgrade to this dependency.

mmartz · November 8, 2022, 6:14pm

3.43.0 is now released which contains this fix.