CVE-2023-22602

2023-01-1410:15:09

CWE-436

[email protected]

web.nvd.nist.gov

113

cve

apache shiro

spring boot

authentication bypass

http request

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.2%

JSON

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.

The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher

Affected configurations

NVD

Node

apacheshiroRange<1.11.0

AND

vmwarespring_bootMatch2.6.0\+

CPENameOperatorVersion
apache:shiroapache shirolt1.11.0
vmware:spring_bootvmware spring booteq2.6.0

CPE	Name	Operator	Version
apache:shiro	apache shiro	lt	1.11.0
vmware:spring_boot	vmware spring boot	eq	2.6.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Shiro",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.11.0",
        "status": "unaffected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]