All the vulnerabilites related to apache - shiro
Vulnerability from fkie_nvd
Published
2021-02-03 17:15
Modified
2024-11-21 05:08
Severity ?
Summary
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46186C0D-DE5D-4D2B-8E29-7260BF095460",
"versionEndExcluding": "1.7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.7.1, cuando se usa Apache Shiro con Spring, una petici\u00f3n HTTP especialmente dise\u00f1ada puede causar una omisi\u00f3n de autenticaci\u00f3n"
}
],
"id": "CVE-2020-17523",
"lastModified": "2024-11-21T05:08:17.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 8.5,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T17:15:13.700",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-22 19:15
Modified
2024-11-21 04:59
Severity ?
Summary
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90234325-DBD4-46E8-A1FE-FCF2A04AF93A",
"versionEndExcluding": "1.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.5.3, cuando se usa Apache Shiro con controladores din\u00e1micos Spring, una petici\u00f3n especialmente dise\u00f1ada puede causar una omisi\u00f3n de autenticaci\u00f3n"
}
],
"id": "CVE-2020-11989",
"lastModified": "2024-11-21T04:59:03.807",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-22T19:15:10.653",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-09-20 19:59
Modified
2024-11-21 02:56
Severity ?
Summary
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/539397/100/0/threaded | ||
| cve@mitre.org | http://www.securityfocus.com/bid/92947 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/539397/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92947 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EB1C2605-99B3-4020-8329-39E3C67F1E7F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path."
},
{
"lang": "es",
"value": "Apache Shiro en versiones anteriores a 1.3.2 permite atacantes eludir los filtros de servlet destinados y obtener acceso aprovechando el uso una de ruta de contexto servlet sin ser root ."
}
],
"id": "CVE-2016-6802",
"lastModified": "2024-11-21T02:56:51.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-09-20T19:59:00.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/539397/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92947"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539397/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92947"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-29 00:15
Modified
2024-11-21 07:06
Severity ?
Summary
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C15DF9C-06E0-4274-8A6C-FDEA2F18B777",
"versionEndExcluding": "1.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."
},
{
"lang": "es",
"value": "En Apache Shiro versiones anteriores a 1.9.1, Un RegexRequestMatcher puede ser configurado inapropiadamente para ser evitado en algunos contenedores de servlets. Las aplicaciones usando RegExPatternMatcher con \".\" en la expresi\u00f3n regular son posiblemente vulnerables a una omisi\u00f3n de autorizaci\u00f3n"
}
],
"id": "CVE-2022-32532",
"lastModified": "2024-11-21T07:06:34.577",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-29T00:15:10.247",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-10-06 14:55
Modified
2024-11-21 02:01
Severity ?
Summary
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1593675C-A4A3-4EBF-B7E0-40287055FBC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB73A4C6-E13B-41FB-A985-A922AC93E710",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "75049BAF-B1F1-4AD4-89CA-CAB59A4D8FC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "04EC6B5A-24AF-45A7-9759-082CCB006F65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97A620B6-F598-4C13-916F-B66521335687",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password."
},
{
"lang": "es",
"value": "Apache Shiro 1.x anterior a 1.2.3, cuando se utiliza un servidor LDAP con bind no autenticado habilitado, permite a atacantes remotos evadir la autenticaci\u00f3n a trav\u00e9s de (1) un nombre de usuario vaci\u00f3 o (2) una contrase\u00f1a vac\u00eda."
}
],
"id": "CVE-2014-0074",
"lastModified": "2024-11-21T02:01:18.243",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-10-06T14:55:08.063",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2014/Mar/22"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/SHIRO-460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Mar/22"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/SHIRO-460"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-17 21:15
Modified
2024-11-21 05:02
Severity ?
Summary
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A1E6484-27EC-4428-AD24-0D3296581F92",
"versionEndExcluding": "1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.6.0, cuando se usa Apache Shiro, una petici\u00f3n HTTP especialmente dise\u00f1ada puede causar una omisi\u00f3n de autenticaci\u00f3n."
}
],
"id": "CVE-2020-13933",
"lastModified": "2024-11-21T05:02:10.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-17T21:15:11.647",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-06-07 14:06
Modified
2024-11-21 02:52
Severity ?
Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
Impacted products
{
"cisaActionDue": "2022-05-03",
"cisaExploitAdd": "2021-11-03",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Apache Shiro Code Execution Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:aurora:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E4E49B7-6247-4353-A80D-ADE138DD0967",
"versionEndExcluding": "0.18.1",
"versionStartIncluding": "0.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2BF5BF73-85B5-4422-B100-EE22B38F574A",
"versionEndExcluding": "1.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*",
"matchCriteriaId": "A0FED4EE-0AE2-4BD8-8DAC-143382E4DB7C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter."
},
{
"lang": "es",
"value": "Apache Shiro en versiones anteriores a 1.2.5, cuando una clave de cifrado no ha sido configurada por la caracter\u00edstica \"remember me\", permite a atacantes remotos ejecutar c\u00f3digo arbitrario o eludir las restricciones destinadas al acceso a trav\u00e9s de un par\u00e1metro request no especificado."
}
],
"id": "CVE-2016-4437",
"lastModified": "2024-11-21T02:52:11.663",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-06-07T14:06:13.247",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/538570/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91024"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/538570/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91024"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-18 23:15
Modified
2024-11-21 04:22
Severity ?
Summary
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE7954C-665D-44AD-B87B-D3E7AFD258A3",
"versionEndExcluding": "1.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.4.2, cuando se usa la configuraci\u00f3n predeterminada \"remember me\", las cookies pueden ser susceptibles a un ataque de padding."
}
],
"id": "CVE-2019-12422",
"lastModified": "2024-11-21T04:22:48.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-18T23:15:11.360",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-05 21:15
Modified
2024-11-21 05:08
Severity ?
Summary
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFD2A206-696A-456F-841D-64695F141426",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.7.0, cuando se usa Apache Shiro con Spring, una petici\u00f3n HTTP especialmente dise\u00f1ada puede causar una omisi\u00f3n de autenticaci\u00f3n"
}
],
"id": "CVE-2020-17510",
"lastModified": "2024-11-21T05:08:15.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-05T21:15:12.537",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-25 16:15
Modified
2024-11-21 05:11
Severity ?
Summary
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3E20335-3AB4-4B78-A749-60452E410CF9",
"versionEndExcluding": "1.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.5.2, cuando se usa Apache Shiro con controladores din\u00e1micos Spring, una petici\u00f3n especialmente dise\u00f1ada puede causar una omisi\u00f3n de autenticaci\u00f3n."
}
],
"id": "CVE-2020-1957",
"lastModified": "2024-11-21T05:11:44.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-25T16:15:19.353",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-17 09:15
Modified
2024-11-21 06:26
Severity ?
Summary
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7F4D89B-0E8C-4E16-A002-FD7EBCF57844",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "55F091C7-0869-4FD6-AC73-DA697D990304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D134C60-F9E2-46C2-8466-DB90AD98439E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.8.0, cuando es usado Apache Shiro con Spring Boot, una petici\u00f3n HTTP especialmente dise\u00f1ada puede causar una omisi\u00f3n de autenticaci\u00f3n. Los usuarios deben actualizar a Apache Shiro versi\u00f3n 1.8.0"
}
],
"id": "CVE-2021-41303",
"lastModified": "2024-11-21T06:26:00.263",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-17T09:15:09.267",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-12 07:15
Modified
2024-11-21 07:21
Severity ?
Summary
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D80A654-E0DF-4E5D-8EB7-819A50F76F26",
"versionEndExcluding": "1.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
},
{
"lang": "es",
"value": "Apache Shiro versiones anteriores a 1.10.0, una vulnerabilidad de Omisi\u00f3n de Autenticaci\u00f3n en Shiro cuando es reenviado o es incluida por medio de RequestDispatcher"
}
],
"id": "CVE-2022-40664",
"lastModified": "2024-11-21T07:21:49.007",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-12T07:15:09.100",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-14 10:15
Modified
2024-11-21 07:45
Severity ?
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230302-0001/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| vmware | spring_boot | 2.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A43087B9-1941-4A90-AF30-331C19BF9A87",
"versionEndExcluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_boot:2.6.0:\\+:*:*:*:*:*:*",
"matchCriteriaId": "74809806-E086-4EFF-8268-3EFF39AB5EF4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u003c 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\n\n\n"
},
{
"lang": "es",
"value": "Cuando se utiliza Apache Shiro anterior a 1.11.0 junto con Spring Boot 2.6+, una solicitud HTTP especialmente manipulada puede provocar una omisi\u00f3n de autenticaci\u00f3n. La omisi\u00f3n de autenticaci\u00f3n se produce cuando Shiro y Spring Boot utilizan diferentes t\u00e9cnicas de coincidencia de patrones. Tanto Shiro como Spring Boot \u0026lt; 2.6 por defecto utiliza la coincidencia de patrones de estilo Ant. Mitigaci\u00f3n: actualice a Apache Shiro 1.11.0 o establezca el siguiente valor de configuraci\u00f3n de Spring Boot: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`"
}
],
"id": "CVE-2023-22602",
"lastModified": "2024-11-21T07:45:02.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-14T10:15:09.140",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230302-0001/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-436"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-11-05 17:00
Modified
2024-11-21 01:19
Severity ?
Summary
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "36E31AB0-3484-46E1-8C7A-5FAA92B21167",
"versionEndIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jsecurity:jsecurity:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A9B625E5-8D60-4E40-B887-DDC8B21FB2F7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI."
},
{
"lang": "es",
"value": "Apache Shiro anterior a v1.1.0 y JSecurity v0.9.x, no canoniza rutas URI antes de compararlas como entradas en el archivo shiro.ini, lo cual permite a atacantes remotos evitar las restricciones de acceso mediante una solicitud manipulada, como lo demuestra la URI /./account/index.jsp"
}
],
"id": "CVE-2010-3863",
"lastModified": "2024-11-21T01:19:46.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-11-05T17:00:02.577",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/69067"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41989"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/514616/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/44616"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/2888"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69067"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41989"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514616/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/44616"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/2888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-14 09:15
Modified
2024-11-21 08:29
Severity ?
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4506F25B-7525-4608-9541-2FA9A31C72BF",
"versionEndExcluding": "1.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "27D6F919-851F-470D-A8E7-0F56C1EA16FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "A759179A-E4A9-4A6A-9CCB-5BB9CC73F7E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "637D39D2-0D98-4137-8D48-C6D8834E07B3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n de URL a un sitio que no es de confianza (\"Open Redirect\") cuando se utiliza la autenticaci\u00f3n de \"formulario\" en Apache Shiro. Mitigaci\u00f3n: actualice a Apache Shiro 1.13.0+ o 2.0.0-alpha-4+."
}
],
"id": "CVE-2023-46750",
"lastModified": "2024-11-21T08:29:13.547",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-14T09:15:42.107",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240808-0002/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-15 10:15
Modified
2024-11-21 08:29
Severity ?
Summary
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm | Mailing List, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4506F25B-7525-4608-9541-2FA9A31C72BF",
"versionEndExcluding": "1.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "27D6F919-851F-470D-A8E7-0F56C1EA16FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "A759179A-E4A9-4A6A-9CCB-5BB9CC73F7E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "637D39D2-0D98-4137-8D48-C6D8834E07B3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n"
},
{
"lang": "es",
"value": "Apache Shiro anterior a 1.130 o 2.0.0-alpha-4 puede ser susceptible a un ataque de path traversal que da como resultado una omisi\u00f3n de autenticaci\u00f3n cuando se usa junto con path rewriting. Mitigaci\u00f3n: actualice a Apache Shiro 1.13.0+ o 2.0.0-alpha- 4+, o aseg\u00farese de que `blockSemicolon` est\u00e9 habilitado (este es el valor predeterminado)."
}
],
"id": "CVE-2023-46749",
"lastModified": "2024-11-21T08:29:13.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-15T10:15:26.380",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-24 19:15
Modified
2024-11-21 08:07
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB0BFCA3-CB88-4DCC-9950-B8065EB192F9",
"versionEndExcluding": "1.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "27D6F919-851F-470D-A8E7-0F56C1EA16FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "A759179A-E4A9-4A6A-9CCB-5BB9CC73F7E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation:\u00a0Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+\n"
},
{
"lang": "es",
"value": "Apache Shiro, antes de 1.12.0 o 2.0.0-alpha-3, puede ser susceptible a un ataque de Path Traversal que resulta en una omisi\u00f3n de autenticaci\u00f3n cuando se usa junto con API u otros marcos web que enrutan solicitudes basadas en solicitudes no normalizadas. Mitigaci\u00f3n: actualizaci\u00f3n a Apache Shiro 1.12.0+ o 2.0.0-alpha-3+ "
}
],
"id": "CVE-2023-34478",
"lastModified": "2024-11-21T08:07:20.607",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-07-24T19:15:10.630",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
cve-2014-0074
Vulnerability from cvelistv5
Published
2014-10-06 14:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2014/Mar/22 | mailing-list, x_refsource_FULLDISC | |
| https://issues.apache.org/jira/browse/SHIRO-460 | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2014-1351.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:38.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20140303 [Announce] Apache Shiro 1.2.3 Released - Security Advisory",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Mar/22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/SHIRO-460"
},
{
"name": "RHSA-2014:1351",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-10-06T13:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "20140303 [Announce] Apache Shiro 1.2.3 Released - Security Advisory",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Mar/22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.apache.org/jira/browse/SHIRO-460"
},
{
"name": "RHSA-2014:1351",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0074",
"datePublished": "2014-10-06T14:00:00",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-08-06T09:05:38.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-46749
Vulnerability from cvelistv5
Published
2024-01-15 09:57
Modified
2024-08-02 20:53
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 2.0.0-alpha-1 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.049Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-4",
"status": "affected",
"version": "2.0.0-alpha-1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-20T10:01:32.470Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46749",
"datePublished": "2024-01-15T09:57:31.613Z",
"dateReserved": "2023-10-25T18:55:02.833Z",
"dateUpdated": "2024-08-02T20:53:21.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41303
Vulnerability from cvelistv5
Published
2021-09-17 08:20
Modified
2024-08-04 03:08
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E | x_refsource_MISC | |
| https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220609-0001/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro |
Version: Apache Shiro < 1.8.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:32.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "Apache Shiro",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like to thank tsug0d for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:38:40",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-41303",
"STATE": "PUBLIC",
"TITLE": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Shiro",
"version_value": "1.8.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Shiro would like to thank tsug0d for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220609-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-41303",
"datePublished": "2021-09-17T08:20:12",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-08-04T03:08:32.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-40664
Vulnerability from cvelistv5
Published
2022-10-12 00:00
Modified
2024-08-03 12:21
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro |
Version: Apache Shiro < 1.10.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "Apache Shiro",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like to thank Y4tacker for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-40664",
"datePublished": "2022-10-12T00:00:00",
"dateReserved": "2022-09-13T00:00:00",
"dateUpdated": "2024-08-03T12:21:46.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-32532
Vulnerability from cvelistv5
Published
2022-06-28 23:20
Modified
2024-08-03 07:46
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro |
Version: Before 1.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:46:43.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Before 1.9.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like the thank 4ra1n for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-28T23:20:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-32532",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Before 1.9.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Shiro would like the thank 4ra1n for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-32532",
"datePublished": "2022-06-28T23:20:11",
"dateReserved": "2022-06-07T00:00:00",
"dateUpdated": "2024-08-03T07:46:43.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-4437
Vulnerability from cvelistv5
Published
2016-06-07 14:00
Modified
2024-08-06 00:32
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2035.html | vendor-advisory, x_refsource_REDHAT | |
| https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2016-2036.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/91024 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/538570/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:32:24.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2016:2035",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"
},
{
"name": "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html"
},
{
"name": "RHSA-2016:2036",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"
},
{
"name": "91024",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91024"
},
{
"name": "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/538570/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-06-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-29T17:06:16",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2016:2035",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"
},
{
"name": "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html"
},
{
"name": "RHSA-2016:2036",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"
},
{
"name": "91024",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91024"
},
{
"name": "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/538570/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-4437",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2016:2035",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"
},
{
"name": "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E"
},
{
"name": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html"
},
{
"name": "RHSA-2016:2036",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"
},
{
"name": "91024",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91024"
},
{
"name": "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/538570/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-4437",
"datePublished": "2016-06-07T14:00:00",
"dateReserved": "2016-05-02T00:00:00",
"dateUpdated": "2024-08-06T00:32:24.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13933
Vulnerability from cvelistv5
Published
2020-08-17 20:19
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Apache Shiro |
Version: Apache Shiro before version 1.6.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[geode-dev] 20200831 Proposal to bring GEODE-8456 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200901 Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[shiro-dev] 20200924 Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201004 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201217 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201219 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201220 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Shiro before version 1.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T03:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[geode-dev] 20200831 Proposal to bring GEODE-8456 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200901 Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[shiro-dev] 20200924 Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201004 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201217 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201219 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201220 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13933",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Apache Shiro before version 1.6.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[geode-dev] 20200831 Proposal to bring GEODE-8456 (shiro upgrade) to support branches",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200901 Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E"
},
{
"name": "[shiro-dev] 20200924 Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201004 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201217 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201219 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201220 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13933",
"datePublished": "2020-08-17T20:19:53",
"dateReserved": "2020-06-08T00:00:00",
"dateUpdated": "2024-08-04T12:32:14.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22602
Vulnerability from cvelistv5
Published
2023-01-14 09:33
Modified
2024-08-02 10:13
Severity ?
EPSS score ?
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro | |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230302-0001/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T15:25:09.693167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T15:25:23.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "v3ged0ge and Adamytd"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u0026lt; 2.6 default to Ant style pattern matching.\u003cbr\u003e\u003cp\u003eMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u003c 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-14T09:33:39.775Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22602",
"datePublished": "2023-01-14T09:33:39.775Z",
"dateReserved": "2023-01-03T23:52:40.911Z",
"dateUpdated": "2024-08-02T10:13:49.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3863
Vulnerability from cvelistv5
Published
2010-11-05 16:28
Modified
2024-08-07 03:26
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/44616 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/41989 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/69067 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/archive/1/514616/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html | mailing-list, x_refsource_FULLDISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/62959 | vdb-entry, x_refsource_XF | |
| http://www.vupen.com/english/advisories/2010/2888 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:11.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "44616",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/44616"
},
{
"name": "41989",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41989"
},
{
"name": "69067",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69067"
},
{
"name": "20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514616/100/0/threaded"
},
{
"name": "20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html"
},
{
"name": "shiro-filters-security-bypass(62959)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959"
},
{
"name": "ADV-2010-2888",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2888"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-11-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "44616",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/44616"
},
{
"name": "41989",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41989"
},
{
"name": "69067",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69067"
},
{
"name": "20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514616/100/0/threaded"
},
{
"name": "20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html"
},
{
"name": "shiro-filters-security-bypass(62959)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959"
},
{
"name": "ADV-2010-2888",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2888"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-3863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "44616",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/44616"
},
{
"name": "41989",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/41989"
},
{
"name": "69067",
"refsource": "OSVDB",
"url": "http://osvdb.org/69067"
},
{
"name": "20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514616/100/0/threaded"
},
{
"name": "20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html"
},
{
"name": "shiro-filters-security-bypass(62959)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959"
},
{
"name": "ADV-2010-2888",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/2888"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3863",
"datePublished": "2010-11-05T16:28:00",
"dateReserved": "2010-10-08T00:00:00",
"dateUpdated": "2024-08-07T03:26:11.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34478
Vulnerability from cvelistv5
Published
2023-07-24 18:24
Modified
2024-10-02 18:29
Severity ?
EPSS score ?
Summary
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 0 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shiro",
"vendor": "apache",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*",
"cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shiro",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "2.0.0alpha1"
},
{
"status": "affected",
"version": "2.0.0alpha2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:25:43.914210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:29:59.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "tkswifty"
},
{
"lang": "en",
"type": "finder",
"value": "Ha1c9on"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emay be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation:\u00a0Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-24T18:24:45.619Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-34478",
"datePublished": "2023-07-24T18:24:45.619Z",
"dateReserved": "2023-06-07T18:50:06.956Z",
"dateUpdated": "2024-10-02T18:29:59.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-6802
Vulnerability from cvelistv5
Published
2016-09-20 19:00
Modified
2024-08-06 01:43
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/539397/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/92947 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160913 [ANNOUNCE][CVE-2016-6802] Apache Shiro 1.3.2 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539397/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html"
},
{
"name": "92947",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92947"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160913 [ANNOUNCE][CVE-2016-6802] Apache Shiro 1.3.2 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539397/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html"
},
{
"name": "92947",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92947"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6802",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160913 [ANNOUNCE][CVE-2016-6802] Apache Shiro 1.3.2 released",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539397/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html"
},
{
"name": "92947",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92947"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6802",
"datePublished": "2016-09-20T19:00:00",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-08-06T01:43:37.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11989
Vulnerability from cvelistv5
Published
2020-06-22 18:06
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro |
Version: Apache Shiro 1.5.2 - 1.5.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.710Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"name": "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Shiro 1.5.2 - 1.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-17T18:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"name": "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-11989",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Apache Shiro 1.5.2 - 1.5.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass by Primary Weakness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E"
},
{
"name": "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E"
},
{
"name": "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-11989",
"datePublished": "2020-06-22T18:06:37",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-1957
Vulnerability from cvelistv5
Published
2020-03-25 15:24
Modified
2024-08-04 06:54
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Apache Shiro |
Version: Apache Shiro to 1.5.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:54:00.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Shiro to 1.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-17T18:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Apache Shiro to 1.5.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1957",
"datePublished": "2020-03-25T15:24:27",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:54:00.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-17510
Vulnerability from cvelistv5
Published
2020-11-05 20:17
Modified
2024-08-04 14:00
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Apache Shiro |
Version: Apache Shiro to 1.7.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Shiro to 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T03:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Apache Shiro to 1.7.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6@%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17510",
"datePublished": "2020-11-05T20:17:36",
"dateReserved": "2020-08-12T00:00:00",
"dateUpdated": "2024-08-04T14:00:48.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12422
Vulnerability from cvelistv5
Published
2019-11-18 22:04
Modified
2024-08-04 23:17
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:39.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[shiro-dev] 20191118 [ANNOUNCE][CVE-2019-12422] Apache Shiro 1.4.2 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Shiro",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "to 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Weak Cookie Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-22T19:06:24",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[shiro-dev] 20191118 [ANNOUNCE][CVE-2019-12422] Apache Shiro 1.4.2 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-12422",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Shiro",
"version": {
"version_data": [
{
"version_value": "to 1.4.1"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Weak Cookie Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[shiro-dev] 20191118 [ANNOUNCE][CVE-2019-12422] Apache Shiro 1.4.2 released",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-12422",
"datePublished": "2019-11-18T22:04:21",
"dateReserved": "2019-05-28T00:00:00",
"dateUpdated": "2024-08-04T23:17:39.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-17523
Vulnerability from cvelistv5
Published
2021-02-03 16:55
Modified
2024-08-04 14:00
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Apache Shiro |
Version: before 1.7.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before 1.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T02:06:26",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17523",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "before 1.7.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17523",
"datePublished": "2021-02-03T16:55:18",
"dateReserved": "2020-08-12T00:00:00",
"dateUpdated": "2024-08-04T14:00:48.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-46750
Vulnerability from cvelistv5
Published
2023-12-14 08:15
Modified
2024-08-08 13:05
Severity ?
EPSS score ?
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9 | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 2.0.0-alpha-1 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T13:05:17.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240808-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-web",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-4",
"status": "affected",
"version": "2.0.0-alpha-1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Claudio Villella"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eURL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability when \"form\" authentication is used in Apache Shiro.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T08:15:58.031Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in FORM authentication feature Apache Shiro.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46750",
"datePublished": "2023-12-14T08:15:58.031Z",
"dateReserved": "2023-10-25T19:11:12.143Z",
"dateUpdated": "2024-08-08T13:05:17.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}