security related problem file

jI-mi — Wed, 04 Mar 2026 04:20:28 GMT

I am a Korean user. Recently, I received instructions to address the Apache Shiro security issue pointed out by the Korean Financial Supervisory Service. I am currently using CDH 7.1.8-1 and was instructed to update Shiro from the current version 1.11 to 1.13 or higher. As far as I know, it is being used in multiple places such as Knox and Kafka. Could you please let me know how to update it as soon as possible?

Re: security related problem file

haridjh — Wed, 04 Mar 2026 14:28:18 GMT

@jI-mi Could you please share the CVE or vulnerability details with the usage of Apache Shiro Version.

Re: security related problem file

vafs — Wed, 04 Mar 2026 23:09:32 GMT

Hello @jI-mi,

As @haridjh told, it will be good to know the CVE that you're seeing to confirm if this is solved or reported.

Anyways, there are some fixed Apache Shiro CVEs documented here:

7.1.8 CHF2: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf2-pvcb-718.html
CDPD-45726 - Upgrade Shiro to 1.10.0 due to CVE-2022-40664
CDPD-45727 - CDPD - Upgrade Shiro to 1.10.0 due to CVE-2022-40664

7.1.8 CHF18: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf18-pvcb-718.html
CDPD-59365: CDPD - Upgrade Shiro to 1.12.0 due to CVE-2023-34478
CDPD-59364: Upgrade Shiro to 1.12.0 due to CVE-2023-34478

7.1.8 CHF19: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf19-pvcb-718.html
CDPD-65013: CDPD - Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750
CDPD-65012: Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750

7.1.9: https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/runtime-release-notes/topics/fixed_common_vulnerabilities_exposures_719.html
CVE-2023-22602 - When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.

7.1.9 SP1: https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/runtime-release-notes/topics/rt-pvc-cve-719sp1.html
CVE-2023-34478 Apache Shiro
CVE-2023-46749 Apache Shiro
CVE-2023-46750 Apache Shiro

7.1.3 SP3 CHF1: https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/private-release-notes/topics/fixed-common-vulnerabilities-exposures-731_600.html
CVE-2023-46750 - Shiro Ehcache
CVE-2023-46749 - Shiro Ehcache
CVE-2023-34478 - Shiro Ehcache
CVE-2023-22602 - Shiro Ehcache
CVE-2022-40664 - Shiro Ehcache
CVE-2022-32532 - Shiro Ehcache
CVE-2021-41303 - Shiro Ehcache
CVE-2020-1957 - Shiro Ehcache
CVE-2020-17523 - Shiro Ehcache
CVE-2020-17510 - Shiro Ehcache
CVE-2020-13933 - Shiro Ehcache
CVE-2020-11989 - Shiro Ehcache
CVE-2019-12422 - Shiro Ehcache
CVE-2016-4437 - Shiro Ehcache
CVE-2010-3863 - Shiro Ehcache

Take a look on those CVE and see if the one you need to resolve is included there.

I found two that looks similar to what you mentioned:
https://nvd.nist.gov/vuln/detail/CVE-2023-46749 solved in 7.1.9 SP1
https://nvd.nist.gov/vuln/detail/CVE-2023-46750 solved in 7.1.8 CHF19

Re: security related problem file

DianaTorres — Wed, 11 Mar 2026 02:41:06 GMT

@jI-mi Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

question Re: security related problem file in Support Questions

security related problem file

Re: security related problem file

Re: security related problem file

Re: security related problem file