Skip to content

Commit 8a57211

Browse files
committed
1 parent 2a901a3 commit 8a57211

1 file changed

Lines changed: 37 additions & 6 deletions

File tree

advisories/unreviewed/2026/05/GHSA-7pq2-fhx9-x464/GHSA-7pq2-fhx9-x464.json

Lines changed: 37 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,18 +6,49 @@
66
"aliases": [
77
"CVE-2026-48589"
88
],
9+
"summary": "Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow",
910
"details": "Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.\nIn affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.\nThis issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.",
10-
"severity": [
11+
"severity": [],
12+
"affected": [
1113
{
12-
"type": "CVSS_V3",
13-
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
14+
"package": {
15+
"ecosystem": "Maven",
16+
"name": "org.apache.shiro:shiro-jakarta-ee"
17+
},
18+
"ranges": [
19+
{
20+
"type": "ECOSYSTEM",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"last_affected": "2.0.0-alpha-0"
27+
}
28+
]
29+
}
30+
]
1431
},
1532
{
16-
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:X/U:Green"
33+
"package": {
34+
"ecosystem": "Maven",
35+
"name": "org.apache.shiro:shiro-jakarta-ee"
36+
},
37+
"ranges": [
38+
{
39+
"type": "ECOSYSTEM",
40+
"events": [
41+
{
42+
"introduced": "0"
43+
},
44+
{
45+
"last_affected": "3.0.0-alpha-0"
46+
}
47+
]
48+
}
49+
]
1850
}
1951
],
20-
"affected": [],
2152
"references": [
2253
{
2354
"type": "ADVISORY",

0 commit comments

Comments
 (0)