Tkswifty

Name of the Vulnerable Software and Affected Versions: Spring WebFlux (affected versions not specified) Description: The issue is caused by weaknesses in the authorization procedure of the Spring Framework's WebMvc.fn and WebFlux.fn functional web frameworks. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. For an application to be affected, it must be a WebFlux application, use Spring's static resources support, and have a non-permitAll authorization rule applied to the static resources support. An exploit for this issue has been released and is being actively exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring WebFlux versions (affected versions not specified) **Description** Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass. The issue may allow a remote attacker to bypass existing security restrictions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions prior to 1.12.0 or 2.0.0-alpha-3 **Description** The issue is related to a path traversal attack that can result in an authentication bypass when Apache Shiro is used together with APIs or other web frameworks that route requests based on non-normalized requests. This can allow a remote attacker to bypass security restrictions by sending specially crafted requests. **Recommendations** Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ to resolve the issue.