diff --git a/advisories/unreviewed/2026/05/GHSA-7pq2-fhx9-x464/GHSA-7pq2-fhx9-x464.json b/advisories/unreviewed/2026/05/GHSA-7pq2-fhx9-x464/GHSA-7pq2-fhx9-x464.json index 74daa32a16f3d..2d968840d1a4e 100644 --- a/advisories/unreviewed/2026/05/GHSA-7pq2-fhx9-x464/GHSA-7pq2-fhx9-x464.json +++ b/advisories/unreviewed/2026/05/GHSA-7pq2-fhx9-x464/GHSA-7pq2-fhx9-x464.json @@ -6,18 +6,49 @@ "aliases": [ "CVE-2026-48589" ], + "summary": "Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow", "details": "Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.\nIn affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.\nThis issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.", - "severity": [ + "severity": [], + "affected": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + "package": { + "ecosystem": "Maven", + "name": "org.apache.shiro:shiro-jakarta-ee" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.0.0-alpha-0" + } + ] + } + ] }, { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:X/U:Green" + "package": { + "ecosystem": "Maven", + "name": "org.apache.shiro:shiro-jakarta-ee" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "3.0.0-alpha-0" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY",