Support Questions

jI-mi · ‎03-03-2026

I am a Korean user. Recently, I received instructions to address the Apache Shiro security issue pointed out by the Korean Financial Supervisory Service. I am currently using CDH 7.1.8-1 and was instructed to update Shiro from the current version 1.11 to 1.13 or higher. As far as I know, it is being used in multiple places such as Knox and Kafka. Could you please let me know how to update it as soon as possible?

vafs · ‎03-04-2026

Hello @jI-mi,

As @haridjh told, it will be good to know the CVE that you're seeing to confirm if this is solved or reported.

Anyways, there are some fixed Apache Shiro CVEs documented here:

7.1.8 CHF2: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf2-pvcb-718.ht...
CDPD-45726 - Upgrade Shiro to 1.10.0 due to CVE-2022-40664
CDPD-45727 - CDPD - Upgrade Shiro to 1.10.0 due to CVE-2022-40664

7.1.8 CHF18: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf18-pvcb-718.h...
CDPD-59365: CDPD - Upgrade Shiro to 1.12.0 due to CVE-2023-34478
CDPD-59364: Upgrade Shiro to 1.12.0 due to CVE-2023-34478

7.1.8 CHF19: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf19-pvcb-718.h...
CDPD-65013: CDPD - Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750
CDPD-65012: Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750

7.1.9: https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/runtime-release-notes/topics/fixed_common_vul...
CVE-2023-22602 - When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.

7.1.9 SP1: https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/runtime-release-notes/topics/rt-pvc-cve-719sp...
CVE-2023-34478 Apache Shiro
CVE-2023-46749 Apache Shiro
CVE-2023-46750 Apache Shiro

7.1.3 SP3 CHF1: https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/private-release-notes/topics/fixed-common-vul...
CVE-2023-46750 - Shiro Ehcache
CVE-2023-46749 - Shiro Ehcache
CVE-2023-34478 - Shiro Ehcache
CVE-2023-22602 - Shiro Ehcache
CVE-2022-40664 - Shiro Ehcache
CVE-2022-32532 - Shiro Ehcache
CVE-2021-41303 - Shiro Ehcache
CVE-2020-1957 - Shiro Ehcache
CVE-2020-17523 - Shiro Ehcache
CVE-2020-17510 - Shiro Ehcache
CVE-2020-13933 - Shiro Ehcache
CVE-2020-11989 - Shiro Ehcache
CVE-2019-12422 - Shiro Ehcache
CVE-2016-4437 - Shiro Ehcache
CVE-2010-3863 - Shiro Ehcache

Take a look on those CVE and see if the one you need to resolve is included there.

I found two that looks similar to what you mentioned:
https://nvd.nist.gov/vuln/detail/CVE-2023-46749 solved in 7.1.9 SP1
https://nvd.nist.gov/vuln/detail/CVE-2023-46750 solved in 7.1.8 CHF19

Regards,
Andrés Fallas
--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs-up button.

View solution in original post

haridjh · ‎03-04-2026

@jI-mi Could you please share the CVE or vulnerability details with the usage of Apache Shiro Version.

vafs · ‎03-04-2026

Hello @jI-mi,

As @haridjh told, it will be good to know the CVE that you're seeing to confirm if this is solved or reported.

Anyways, there are some fixed Apache Shiro CVEs documented here:

7.1.8 CHF2: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf2-pvcb-718.ht...
CDPD-45726 - Upgrade Shiro to 1.10.0 due to CVE-2022-40664
CDPD-45727 - CDPD - Upgrade Shiro to 1.10.0 due to CVE-2022-40664

7.1.8 CHF18: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf18-pvcb-718.h...
CDPD-59365: CDPD - Upgrade Shiro to 1.12.0 due to CVE-2023-34478
CDPD-59364: Upgrade Shiro to 1.12.0 due to CVE-2023-34478

7.1.8 CHF19: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/runtime-release-notes/topics/chf19-pvcb-718.h...
CDPD-65013: CDPD - Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750
CDPD-65012: Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750

7.1.9: https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/runtime-release-notes/topics/fixed_common_vul...
CVE-2023-22602 - When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.

7.1.9 SP1: https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/runtime-release-notes/topics/rt-pvc-cve-719sp...
CVE-2023-34478 Apache Shiro
CVE-2023-46749 Apache Shiro
CVE-2023-46750 Apache Shiro

7.1.3 SP3 CHF1: https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/private-release-notes/topics/fixed-common-vul...
CVE-2023-46750 - Shiro Ehcache
CVE-2023-46749 - Shiro Ehcache
CVE-2023-34478 - Shiro Ehcache
CVE-2023-22602 - Shiro Ehcache
CVE-2022-40664 - Shiro Ehcache
CVE-2022-32532 - Shiro Ehcache
CVE-2021-41303 - Shiro Ehcache
CVE-2020-1957 - Shiro Ehcache
CVE-2020-17523 - Shiro Ehcache
CVE-2020-17510 - Shiro Ehcache
CVE-2020-13933 - Shiro Ehcache
CVE-2020-11989 - Shiro Ehcache
CVE-2019-12422 - Shiro Ehcache
CVE-2016-4437 - Shiro Ehcache
CVE-2010-3863 - Shiro Ehcache

Take a look on those CVE and see if the one you need to resolve is included there.

I found two that looks similar to what you mentioned:
https://nvd.nist.gov/vuln/detail/CVE-2023-46749 solved in 7.1.9 SP1
https://nvd.nist.gov/vuln/detail/CVE-2023-46750 solved in 7.1.8 CHF19

Regards,
Andrés Fallas
--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs-up button.

DianaTorres · ‎03-10-2026

@jI-mi Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Regards,

Diana Torres,
Senior Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Community Guidelines
How to use the forum

Support Questions

security related problem file