Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
CVE-2021-41303

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 17 September 2021

Summary

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Affected Version(s)

Apache Shiro Apache Shiro < 1.8.0

References

https://lists.apache.org/thread.html/re470be1ffea44bca28c...

x_refsource_MISC

https://lists.apache.org/thread.html/raae98bb934e4bde3044...

mailing-listx_refsource_MLIST

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 17, 2021
Vulnerability Reserved
Sep 16, 2021

Credit

Apache Shiro would like to thank tsug0d for reporting this issue.