Vulnerabilites related to Apache Software Foundation - Apache Shiro
cve-2023-46749
Vulnerability from cvelistv5
Published
2024-01-15 09:57
Modified
2024-08-02 20:53
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 2.0.0-alpha-1 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:53:21.049Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.13.0", status: "affected", version: "0", versionType: "semver", }, { lessThan: "2.0.0-alpha-4", status: "affected", version: "2.0.0-alpha-1", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting <br><br><span style=\"background-color: rgb(255, 255, 255);\">Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).<br></span><br>", }, ], value: "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-20T10:01:32.470Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-46749", datePublished: "2024-01-15T09:57:31.613Z", dateReserved: "2023-10-25T18:55:02.833Z", dateUpdated: "2024-08-02T20:53:21.049Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-34478
Vulnerability from cvelistv5
Published
2023-07-24 18:24
Modified
2025-02-13 16:55
Severity ?
EPSS score ?
Summary
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:10:07.042Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2023/07/24/4", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20230915-0005/", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "shiro", vendor: "apache", versions: [ { lessThan: "1.12.0", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "shiro", vendor: "apache", versions: [ { status: "affected", version: "2.0.0alpha1", }, { status: "affected", version: "2.0.0alpha2", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-34478", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-02T18:25:43.914210Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-02T18:29:59.782Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.12.0", status: "affected", version: "0", versionType: "semver", }, { lessThan: "2.0.0-alpha-3", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "tkswifty", }, { lang: "en", type: "finder", value: "Ha1c9on", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, <span style=\"background-color: rgb(255, 255, 255);\">may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.<br><br><strong>Mitigation:</strong><span style=\"background-color: rgb(255, 255, 255);\"> Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+</span></span><br>", }, ], value: "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-15T13:06:33.543Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk", }, { url: "http://www.openwall.com/lists/oss-security/2023/07/24/4", }, { url: "https://security.netapp.com/advisory/ntap-20230915-0005/", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-34478", datePublished: "2023-07-24T18:24:45.619Z", dateReserved: "2023-06-07T18:50:06.956Z", dateUpdated: "2025-02-13T16:55:37.269Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-22602
Vulnerability from cvelistv5
Published
2023-01-14 09:33
Modified
2024-08-02 10:13
Severity ?
EPSS score ?
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:13:49.411Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20230302-0001/", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-22602", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-01T15:25:09.693167Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-01T15:25:23.157Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.11.0", status: "unaffected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "v3ged0ge and Adamytd", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.<br><br></span>The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.<br><p>Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`<br></p>", }, ], value: "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\n\n\n", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-436", description: "CWE-436 Interpretation Conflict", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-14T09:33:39.775Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-22602", datePublished: "2023-01-14T09:33:39.775Z", dateReserved: "2023-01-03T23:52:40.911Z", dateUpdated: "2024-08-02T10:13:49.411Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-11989
Vulnerability from cvelistv5
Published
2020-06-22 18:06
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Apache Shiro 1.5.2 - 1.5.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:48:57.710Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Shiro 1.5.2 - 1.5.3", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, ], problemTypes: [ { descriptions: [ { description: "Authentication Bypass by Primary Weakness", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-17T18:06:18", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-11989", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "Apache Shiro 1.5.2 - 1.5.3", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Authentication Bypass by Primary Weakness", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E", }, { name: "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-11989", datePublished: "2020-06-22T18:06:37", dateReserved: "2020-04-21T00:00:00", dateUpdated: "2024-08-04T11:48:57.710Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-32532
Vulnerability from cvelistv5
Published
2022-06-28 23:20
Modified
2024-08-03 07:46
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Before 1.9.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:46:43.634Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Before 1.9.1", }, ], }, ], credits: [ { lang: "en", value: "Apache Shiro would like the thank 4ra1n for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-06-28T23:20:11", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, ], source: { discovery: "UNKNOWN", }, title: "Authentication Bypass Vulnerability", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-32532", STATE: "PUBLIC", TITLE: "Authentication Bypass Vulnerability", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "Before 1.9.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Shiro would like the thank 4ra1n for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-863 Incorrect Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", refsource: "MISC", url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-32532", datePublished: "2022-06-28T23:20:11", dateReserved: "2022-06-07T00:00:00", dateUpdated: "2024-08-03T07:46:43.634Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41303
Vulnerability from cvelistv5
Published
2021-09-17 08:20
Modified
2024-08-04 03:08
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E | x_refsource_MISC | |
| https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220609-0001/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Apache Shiro < 1.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:32.012Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { name: "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.8.0", status: "affected", version: "Apache Shiro", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Shiro would like to thank tsug0d for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:38:40", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { name: "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-41303", STATE: "PUBLIC", TITLE: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_affected: "<", version_name: "Apache Shiro", version_value: "1.8.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Shiro would like to thank tsug0d for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-287 Improper Authentication", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { name: "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", refsource: "MLIST", url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20220609-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-41303", datePublished: "2021-09-17T08:20:12", dateReserved: "2021-09-16T00:00:00", dateUpdated: "2024-08-04T03:08:32.012Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-40664
Vulnerability from cvelistv5
Published
2022-10-12 00:00
Modified
2024-08-03 12:21
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Apache Shiro < 1.10.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:21:46.341Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg", }, { name: "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/1", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/2", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/1", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20221118-0005/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.10.0", status: "affected", version: "Apache Shiro", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Shiro would like to thank Y4tacker for reporting this issue", }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-18T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg", }, { name: "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/1", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/2", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/1", }, { url: "https://security.netapp.com/advisory/ntap-20221118-0005/", }, ], source: { discovery: "UNKNOWN", }, title: "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-40664", datePublished: "2022-10-12T00:00:00", dateReserved: "2022-09-13T00:00:00", dateUpdated: "2024-08-03T12:21:46.341Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-46750
Vulnerability from cvelistv5
Published
2023-12-14 08:15
Modified
2024-08-08 13:05
Severity ?
EPSS score ?
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 2.0.0-alpha-1 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-08T13:05:17.314Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9", }, { url: "https://security.netapp.com/advisory/ntap-20240808-0002/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2", defaultStatus: "unaffected", packageName: "org.apache.shiro:shiro-web", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.13.0", status: "affected", version: "0", versionType: "semver", }, { lessThan: "2.0.0-alpha-4", status: "affected", version: "2.0.0-alpha-1", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Claudio Villella", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.<br><span style=\"background-color: rgb(255, 255, 255);\">Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.</span></span><br>", }, ], value: "URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-14T08:15:58.031Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-46750", datePublished: "2023-12-14T08:15:58.031Z", dateReserved: "2023-10-25T19:11:12.143Z", dateUpdated: "2024-08-08T13:05:17.314Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }