Apache Shiro Interpretation Conflict vulnerability

2023-01-1412:30:23

Google

osv.dev

apache shiro

spring boot

authentication bypass

vulnerability

mitigation

update

pattern matching

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.004 Low

EPSS

Percentile

72.1%

JSON

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher

CPENameOperatorVersion
org.apache.shiro:shiro-rooteq1.9.1
org.apache.shiro:shiro-rooteq1.4.0-RC2
org.apache.shiro:shiro-rooteq1.3.0
org.apache.shiro:shiro-rooteq1.7.0
org.apache.shiro:shiro-rooteq1.10.0
org.apache.shiro:shiro-rooteq1.2.5
org.apache.shiro:shiro-rooteq1.1.0
org.apache.shiro:shiro-rooteq1.7.1
org.apache.shiro:shiro-rooteq1.6.0
org.apache.shiro:shiro-rooteq1.8.0

Name	Operator	Version
org.apache.shiro:shiro-root	eq	1.9.1
org.apache.shiro:shiro-root	eq	1.4.0-RC2
org.apache.shiro:shiro-root	eq	1.3.0
org.apache.shiro:shiro-root	eq	1.7.0
org.apache.shiro:shiro-root	eq	1.10.0
org.apache.shiro:shiro-root	eq	1.2.5
org.apache.shiro:shiro-root	eq	1.1.0
org.apache.shiro:shiro-root	eq	1.7.1
org.apache.shiro:shiro-root	eq	1.6.0
org.apache.shiro:shiro-root	eq	1.8.0