Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
CVE-2023-22602

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 14 January 2023

What is CVE-2023-22602?

In specific configurations, an authentication bypass vulnerability exists when integrating Apache Shiro prior to version 1.11.0 with Spring Boot 2.6 or newer. This vulnerability arises from differing pattern-matching strategies, allowing an attacker to exploit the authentication process. The default settings in both frameworks utilize Ant-style pattern matching when versions are below those specified. Users are advised to upgrade to Apache Shiro 1.11.0 or adjust Spring Boot’s settings to ensure security by configuring the 'spring.mvc.pathmatch.matching-strategy' to 'ant_path_matcher'.

Affected Version(s)

Apache Shiro 0

References

https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsr...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2023
Vulnerability Reserved
Jan 3, 2023

Credit

v3ged0ge and Adamytd