CVE-2023-22602

2023-01-1400:00:00

ubuntu.com

cve-2023-22602

apache shiro

spring boot

authentication bypass

http request

pattern matching

mitigation

update

configuration

ant_path_matcher

unix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.004 Low

EPSS

Percentile

72.1%

JSON

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a
specially crafted HTTP request may cause an authentication bypass. The
authentication bypass occurs when Shiro and Spring Boot are using different
pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to
Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or
set the following Spring Boot configuration value:
spring.mvc.pathmatch.matching-strategy = ant_path_matcher

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchshiro< anyUNKNOWN
ubuntu20.04noarchshiro< anyUNKNOWN
ubuntu22.04noarchshiro< anyUNKNOWN
ubuntu23.10noarchshiro< anyUNKNOWN
ubuntu24.04noarchshiro< anyUNKNOWN
ubuntu16.04noarchshiro< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	shiro	< any	UNKNOWN
ubuntu	20.04	noarch	shiro	< any	UNKNOWN
ubuntu	22.04	noarch	shiro	< any	UNKNOWN
ubuntu	23.10	noarch	shiro	< any	UNKNOWN
ubuntu	24.04	noarch	shiro	< any	UNKNOWN
ubuntu	16.04	noarch	shiro	< any	UNKNOWN