Lucene search
ApacheCVELIST:CVE-2023-22602HistoryJan 14, 2023 - 9:33 a.m.
CVE-2023-22602 Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
2023-01-1409:33:39
CWE-436
apache
www.cve.org
1
cve-2023-22602
apache shiro
spring boot 2.6+
authentication bypass
http request
pattern matching
mitigation
0.004 Low
EPSS
Percentile
72.1%
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
]Related
ibm
ibm
prion
prion
Authentication flaw
2023-01-14 10:15:00
nvd
nvd
CVE-2023-22602
2023-01-14 10:15:09
debiancve
debiancve
CVE-2023-22602
2023-01-14 10:15:09
osv
osv
CVE-2023-22602
2023-01-14 10:15:09
Apache Shiro Interpretation Conflict vulnerability
2023-01-14 12:30:23
redhatcve
redhatcve
CVE-2023-22602
2023-03-27 21:35:08
ubuntucve
ubuntucve
CVE-2023-22602
2023-01-14 00:00:00
github
github
Apache Shiro Interpretation Conflict vulnerability
2023-01-14 12:30:23
cve
cve
CVE-2023-22602
2023-01-14 10:15:09
nessus
nessus
Apache Shiro < 1.11.0 Authentication Bypass
2023-09-25 00:00:00
veracode
veracode
Authentication Bypass
2023-10-13 18:43:28
redhat
redhat