CVE-2022-32532 - Incorrect handling of inheritable capabilities

Severity: Low2022-10-13

Security Advisories

Abstract

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v5.0 and older versionsLow Oxygen Content Fusion 5.0.1 build 2022092005
Oxygen XML Web Author v24.1 and older versionsLow Oxygen XML Web Author 24.1.0.2 build 2022110410
Oxygen XML Web Author 25.0.0.1 build 2022100711

Mitigation

N/A

Detail

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-32532 vulnerability description. However, Oxygen XML products does not use RegExPatternMatcher. For that reason, we are rated the severity level for our products as Low.

Starting with Oxygen Content Fusion v5.0.1 build 2022092005 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022070522 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.

Revision History

2022-11-21 Starting with Oxygen XML Web Author version 24.1.1.2 build 2022110410, the Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Oxygen AI Positron: Your Helper in All Stages of Content Creation
May 8, 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor