You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The cause of the vulnerability
The project uses shiro1.7.0 version, this version should not have this vulnerability;
Code layer troubleshooting:
The default key is used (one of the reasons for this vulnerability)
From the point of view of the exploited gadget, the commonscollection exploit chain is used (the second reason for this vulnerability), and the commons-collections vulnerability should use version 3.2.2 and above
Check shiro related calling code:
The Shiro deserialization vulnerability is caused by calling the getRememberedSerializedIdentity() function of the CookieRememberMeManager class. The official repair code is as follows, the repair plan is to delete the CookieRememberMeManager class
The CookieRememberMeManager class was added when the open source project was rewritten, which led to the generation of vulnerabilities.
The cause of the vulnerability
The project uses shiro1.7.0 version, this version should not have this vulnerability;
Code layer troubleshooting:
The Shiro deserialization vulnerability is caused by calling the getRememberedSerializedIdentity() function of the CookieRememberMeManager class. The official repair code is as follows, the repair plan is to delete the CookieRememberMeManager class
The CookieRememberMeManager class was added when the open source project was rewritten, which led to the generation of vulnerabilities.
Exploit:
You can use the following tools to exploit this vulnerability, Github project: https://github.com/j1anFen/shiro_attack
Execute system commands
The text was updated successfully, but these errors were encountered: