Lucene search
ApacheVULNRICHMENT:CVE-2023-22602HistoryJan 14, 2023 - 9:33 a.m.
CVE-2023-22602 Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
2023-01-1409:33:39
CWE-436
apache
github.com
3
cve-2023-22602
apache shiro
authentication bypass
spring boot
http request
update
pattern matching
AI Score
7
Confidence
Low
EPSS
0.004
Percentile
72.7%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher
CNA Affected
[
{
"vendor": "Apache Software Foundation",
"product": "Apache Shiro",
"versions": [
{
"status": "unaffected",
"version": "0",
"lessThan": "1.11.0",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
]Related
debiancve
debiancve
CVE-2023-22602
2023-01-14 10:15:09
nvd
nvd
CVE-2023-22602
2023-01-14 10:15:09
prion
prion
Authentication flaw
2023-01-14 10:15:00
ibm
ibm
cvelist
cvelist
ubuntucve
ubuntucve
CVE-2023-22602
2023-01-14 00:00:00
osv
osv
CVE-2023-22602
2023-01-14 10:15:09
Apache Shiro Interpretation Conflict vulnerability
2023-01-14 12:30:23
redhatcve
redhatcve
CVE-2023-22602
2023-03-27 21:35:08
nessus
nessus
Apache Shiro < 1.11.0 Authentication Bypass
2023-09-25 00:00:00
cve
cve
CVE-2023-22602
2023-01-14 10:15:09
veracode
veracode
Authentication Bypass
2023-10-13 18:43:28
github
github
Apache Shiro Interpretation Conflict vulnerability
2023-01-14 12:30:23
redhat
redhat
AI Score
7
Confidence
Low
EPSS
0.004
Percentile
72.7%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Related for VULNRICHMENT:CVE-2023-22602