Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
46 vulnerabilities found for shiro by apache
CVE-2026-48589 (GCVE-0-2026-48589)
Vulnerability from nvd – Published: 2026-05-25 20:20 – Updated: 2026-05-26 12:37
VLAI
Title
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Summary
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
2.0.0-alpha-0 , ≤ 2.2.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:15.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:37:36.660873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:37:44.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-jakarta-ee",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "2.0.0-alpha-0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bartlomiej Dmitruk \u003cbartek@striga.ai\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eApache Shiro\u2019s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.\u003cbr\u003eIn affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.\u003cbr\u003eThis issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro\u2019s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.\nIn affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.\nThis issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/V:D/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:20:03.597Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_48589"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-48589",
"datePublished": "2026-05-25T20:20:03.597Z",
"dateReserved": "2026-05-22T00:31:53.177Z",
"dateUpdated": "2026-05-26T12:37:44.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44598 (GCVE-0-2026-44598)
Vulnerability from nvd – Published: 2026-05-25 20:19 – Updated: 2026-05-26 12:38
VLAI
Title
Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
Summary
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.
This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.
After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.
This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro Jakarta EE module |
Affected:
2.0.0-alpha-0 , ≤ 2.1.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:14.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44598",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:38:07.070104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:38:12.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-jakarta-ee",
"product": "Apache Shiro Jakarta EE module",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "2.0.0-alpha-0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "James Love \u003cjameslove2k22@gmail.com\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWith valid login credentials, URL Redirection to Untrusted Site (\u0027Open Redirect\u0027), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eonly w\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehen using shiro-jakarta-ee integration module.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.\u003c/p\u003e\u003cp\u003eAfter successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.\u003cbr\u003eThis cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.\u003c/p\u003e"
}
],
"value": "With valid login credentials, URL Redirection to Untrusted Site (\u0027Open Redirect\u0027), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.\n\n\n\n\nThis issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1,\u00a0only when using shiro-jakarta-ee integration module.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.\n\nAfter successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.\nThis cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:19:44.317Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_44598"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-44598",
"datePublished": "2026-05-25T20:19:44.317Z",
"dateReserved": "2026-05-07T01:57:05.531Z",
"dateUpdated": "2026-05-26T12:38:12.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43828 (GCVE-0-2026-43828)
Vulnerability from nvd – Published: 2026-05-25 20:19 – Updated: 2026-05-26 12:38
VLAI
Title
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
Summary
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
1.0 , ≤ 2.1.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:13.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:38:31.723332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:38:38.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-web",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Meteor_Kai \u003c1318723916@qq.com\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDefault configurations of Apache Shiro send sensitive cookies in HTTPS session without \u0027Secure\u0027 attribute.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\u003c/p\u003eIn the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without \u0027secure\u0027 attribute by default.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Default configurations of Apache Shiro send sensitive cookies in HTTPS session without \u0027Secure\u0027 attribute.\n\n\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without \u0027secure\u0027 attribute by default."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:19:26.227Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_43828"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Shiro\u0027s native session and rememberMe cookies do not have secure flag set by default",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-43828",
"datePublished": "2026-05-25T20:19:26.227Z",
"dateReserved": "2026-05-03T19:25:59.025Z",
"dateUpdated": "2026-05-26T12:38:38.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43827 (GCVE-0-2026-43827)
Vulnerability from nvd – Published: 2026-05-25 20:19 – Updated: 2026-05-26 12:39
VLAI
Title
Apache Shiro: Session fixation: new session is not created after login by default
Summary
Default configurations of Apache Shiro have a session fixation vulnerability.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
1.0 , ≤ 2.1.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:12.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:39:33.503346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:39:39.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-core",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rasmus Moorats \u003cxx@nns.ee\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDefault configurations of Apache Shiro have a s\u003c/span\u003eession fixation vulnerability.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\u003c/p\u003eIn the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Default configurations of Apache Shiro have a session fixation vulnerability.\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:19:03.428Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_43827"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Session fixation: new session is not created after login by default",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-43827",
"datePublished": "2026-05-25T20:19:03.428Z",
"dateReserved": "2026-05-02T22:26:19.626Z",
"dateUpdated": "2026-05-26T12:39:39.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23901 (GCVE-0-2026-23901)
Vulnerability from nvd – Published: 2026-02-10 09:25 – Updated: 2026-02-10 15:31
VLAI
Title
Apache Shiro: Brute force attack possible to determine valid user names
Summary
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only.
Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 2.0.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-10T10:22:44.721Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/08/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:31:09.515973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T15:31:25.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-core",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "4ra1n"
},
{
"lang": "en",
"type": "finder",
"value": "Y4tacker"
},
{
"lang": "en",
"type": "remediation developer",
"value": "lprimak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eObservable Timing Discrepancy vulnerability in Apache Shiro.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\u003c/p\u003ePrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\u003cbr\u003ethat a brute-force attack may be able to tell, by timing the requests only, determine if\u003cbr\u003ethe request failed because of a non-existent user vs. wrong password.\u003cbr\u003e\u003cbr\u003eThe most likely attack vector is a local attack only.\u003cbr\u003eShiro security model\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://shiro.apache.org/security-model.html#username_enumeration\"\u003ehttps://shiro.apache.org/security-model.html#username_enumeration\u003c/a\u003e\u0026nbsp;discusses this as well.\u003cbr\u003e\u003cbr\u003eTypically, brute force attack can be mitigated at the infrastructure level."
}
],
"value": "Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model\u00a0 https://shiro.apache.org/security-model.html#username_enumeration \u00a0discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T09:25:51.765Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro: Brute force attack possible to determine valid user names",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-23901",
"datePublished": "2026-02-10T09:25:51.765Z",
"dateReserved": "2026-01-17T18:01:53.140Z",
"dateUpdated": "2026-02-10T15:31:25.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23903 (GCVE-0-2026-23903)
Vulnerability from nvd – Published: 2026-02-09 09:26 – Updated: 2026-02-09 16:17
VLAI
Title
Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems
Summary
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Shiro: before 2.0.7.
Users are recommended to upgrade to version 2.0.7, which fixes the issue.
The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.
Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true
Shiro 3.0.0 and later (upcoming) makes this the default.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-289 - Authentication Bypass by Alternate Name
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 2.0.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-09T10:25:43.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T16:17:20.608697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T16:17:43.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-web",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesse Yang"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Pimak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthentication Bypass by Alternate Name vulnerability in Apache Shiro.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro: before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\u003c/p\u003eThe issue only effects static files. If static files are served from a case-insensitive filesystem,\u003cbr\u003esuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\u003cbr\u003eIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\u003cbr\u003e\u003cbr\u003eShiro 2.0.7 and later has a new parameters to remediate this issue\u003cbr\u003eshiro.ini: \u003cspan style=\"background-color: rgba(129, 139, 152, 0.12);\"\u003efilterChainResolver.caseInsensitive = true\u003cbr\u003e\u003c/span\u003eapplication.propertie: shiro\u003cspan style=\"background-color: rgba(129, 139, 152, 0.12);\"\u003e.caseInsensitive=true\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eShiro 3.0.0 and later (upcoming) makes this the default."
}
],
"value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "CWE-289 Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T09:26:21.772Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-23903",
"datePublished": "2026-02-09T09:26:21.772Z",
"dateReserved": "2026-01-19T01:14:40.103Z",
"dateUpdated": "2026-02-09T16:17:43.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46749 (GCVE-0-2023-46749)
Vulnerability from nvd – Published: 2024-01-15 09:57 – Updated: 2025-11-03 21:50
VLAI
Title
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Summary
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/mdv7ftz7k4488rzlo… | vendor-advisory |
| https://security.netapp.com/advisory/ntap-2024110… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 1.13.0
(semver)
Affected: 2.0.0-alpha-1 , < 2.0.0-alpha-4 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:50:03.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:15:57.603857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:01:03.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-4",
"status": "affected",
"version": "2.0.0-alpha-1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-20T10:01:32.470Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46749",
"datePublished": "2024-01-15T09:57:31.613Z",
"dateReserved": "2023-10-25T18:55:02.833Z",
"dateUpdated": "2025-11-03T21:50:03.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46750 (GCVE-0-2023-46750)
Vulnerability from nvd – Published: 2023-12-14 08:15 – Updated: 2025-11-03 21:50
VLAI
Title
Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
Severity
4.7 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 1.13.0
(semver)
Affected: 2.0.0-alpha-1 , < 2.0.0-alpha-4 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:50:05.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240808-0002/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46750",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T17:47:04.429290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:47:51.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-web",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-4",
"status": "affected",
"version": "2.0.0-alpha-1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Claudio Villella"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eURL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability when \"form\" authentication is used in Apache Shiro.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T08:15:58.031Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in FORM authentication feature Apache Shiro.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46750",
"datePublished": "2023-12-14T08:15:58.031Z",
"dateReserved": "2023-10-25T19:11:12.143Z",
"dateUpdated": "2025-11-03T21:50:05.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-34478 (GCVE-0-2023-34478)
Vulnerability from nvd – Published: 2023-07-24 18:24 – Updated: 2025-02-13 16:55
VLAI
Title
Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Summary
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 1.12.0
(semver)
Affected: 0 , < 2.0.0-alpha-3 (semver) |
|
| apache | shiro |
Affected:
0 , < 1.12.0
(custom)
cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* |
|
| apache | shiro |
Affected:
2.0.0alpha1
Affected: 2.0.0alpha2 cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shiro",
"vendor": "apache",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*",
"cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shiro",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "2.0.0alpha1"
},
{
"status": "affected",
"version": "2.0.0alpha2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:25:43.914210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:29:59.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "tkswifty"
},
{
"lang": "en",
"type": "finder",
"value": "Ha1c9on"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emay be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation:\u00a0Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T13:06:33.543Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-34478",
"datePublished": "2023-07-24T18:24:45.619Z",
"dateReserved": "2023-06-07T18:50:06.956Z",
"dateUpdated": "2025-02-13T16:55:37.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22602 (GCVE-0-2023-22602)
Vulnerability from nvd – Published: 2023-01-14 09:33 – Updated: 2024-08-02 10:13
VLAI
Title
Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/dzj0k2smpzzgj6g66… | vendor-advisory |
| https://security.netapp.com/advisory/ntap-2023030… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Unaffected:
0 , < 1.11.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230302-0001/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T15:25:09.693167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T15:25:23.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "v3ged0ge and Adamytd"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u0026lt; 2.6 default to Ant style pattern matching.\u003cbr\u003e\u003cp\u003eMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u003c 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-14T09:33:39.775Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22602",
"datePublished": "2023-01-14T09:33:39.775Z",
"dateReserved": "2023-01-03T23:52:40.911Z",
"dateUpdated": "2024-08-02T10:13:49.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40664 (GCVE-0-2022-40664)
Vulnerability from nvd – Published: 2022-10-12 00:00 – Updated: 2025-05-15 15:02
VLAI
Title
Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher
Summary
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
Apache Shiro , < 1.10.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T15:02:13.459494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T15:02:41.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "Apache Shiro",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like to thank Y4tacker for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-40664",
"datePublished": "2022-10-12T00:00:00.000Z",
"dateReserved": "2022-09-13T00:00:00.000Z",
"dateUpdated": "2025-05-15T15:02:41.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32532 (GCVE-0-2022-32532)
Vulnerability from nvd – Published: 2022-06-28 23:20 – Updated: 2024-08-03 07:46
VLAI
Title
Authentication Bypass Vulnerability
Summary
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/y8260dw8vbm99oq7z… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
Before 1.9.1
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:46:43.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Before 1.9.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like the thank 4ra1n for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-28T23:20:11.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-32532",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Before 1.9.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Shiro would like the thank 4ra1n for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-32532",
"datePublished": "2022-06-28T23:20:11.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T07:46:43.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41303 (GCVE-0-2021-41303)
Vulnerability from nvd – Published: 2021-09-17 08:20 – Updated: 2024-08-04 03:08
VLAI
Title
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
Summary
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Severity
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/re470be1ffea… | x_refsource_MISC |
| https://lists.apache.org/thread.html/raae98bb934e… | mailing-listx_refsource_MLIST |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2022060… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
Apache Shiro , < 1.8.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:32.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "Apache Shiro",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like to thank tsug0d for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:38:40.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-41303",
"STATE": "PUBLIC",
"TITLE": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Shiro",
"version_value": "1.8.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Shiro would like to thank tsug0d for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220609-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-41303",
"datePublished": "2021-09-17T08:20:12.000Z",
"dateReserved": "2021-09-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:08:32.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17523 (GCVE-0-2020-17523)
Vulnerability from nvd – Published: 2021-02-03 16:55 – Updated: 2024-08-04 14:00
VLAI
Summary
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Severity
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/rce5943430a6… | x_refsource_MISC |
| https://lists.apache.org/thread.html/r5b93ddf97e2… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rd4b613e1214… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r9d93dfb5df0… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/re25b8317b00… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r679ca978133… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r8244fd0831d… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r852971e28f5… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache Shiro |
Affected:
before 1.7.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before 1.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T02:06:26.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17523",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "before 1.7.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17523",
"datePublished": "2021-02-03T16:55:18.000Z",
"dateReserved": "2020-08-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:00:48.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17510 (GCVE-0-2020-17510)
Vulnerability from nvd – Published: 2020-11-05 20:17 – Updated: 2024-08-04 14:00
VLAI
Summary
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Severity
No CVSS data available.
CWE
- Authentication Bypass
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/rc2cff2538b6… | x_refsource_MISC |
| https://lists.apache.org/thread.html/r95bdf370385… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r70098e336d0… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rb47d88af224… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r575301804bf… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r70b907ccb30… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r9d93dfb5df0… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/re25b8317b00… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r852971e28f5… | mailing-listx_refsource_MLIST |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache Shiro |
Affected:
Apache Shiro to 1.7.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Shiro to 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T03:06:18.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Apache Shiro to 1.7.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6@%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17510",
"datePublished": "2020-11-05T20:17:36.000Z",
"dateReserved": "2020-08-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:00:48.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-48589 (GCVE-0-2026-48589)
Vulnerability from cvelistv5 – Published: 2026-05-25 20:20 – Updated: 2026-05-26 12:37
VLAI
Title
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Summary
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
2.0.0-alpha-0 , ≤ 2.2.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:15.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:37:36.660873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:37:44.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-jakarta-ee",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "2.0.0-alpha-0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bartlomiej Dmitruk \u003cbartek@striga.ai\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eApache Shiro\u2019s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.\u003cbr\u003eIn affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.\u003cbr\u003eThis issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro\u2019s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.\nIn affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.\nThis issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/V:D/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:20:03.597Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_48589"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-48589",
"datePublished": "2026-05-25T20:20:03.597Z",
"dateReserved": "2026-05-22T00:31:53.177Z",
"dateUpdated": "2026-05-26T12:37:44.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44598 (GCVE-0-2026-44598)
Vulnerability from cvelistv5 – Published: 2026-05-25 20:19 – Updated: 2026-05-26 12:38
VLAI
Title
Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
Summary
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.
This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.
After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.
This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro Jakarta EE module |
Affected:
2.0.0-alpha-0 , ≤ 2.1.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:14.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44598",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:38:07.070104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:38:12.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-jakarta-ee",
"product": "Apache Shiro Jakarta EE module",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "2.0.0-alpha-0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "James Love \u003cjameslove2k22@gmail.com\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWith valid login credentials, URL Redirection to Untrusted Site (\u0027Open Redirect\u0027), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eonly w\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehen using shiro-jakarta-ee integration module.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.\u003c/p\u003e\u003cp\u003eAfter successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.\u003cbr\u003eThis cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.\u003c/p\u003e"
}
],
"value": "With valid login credentials, URL Redirection to Untrusted Site (\u0027Open Redirect\u0027), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.\n\n\n\n\nThis issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1,\u00a0only when using shiro-jakarta-ee integration module.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.\n\nAfter successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.\nThis cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:19:44.317Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_44598"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-44598",
"datePublished": "2026-05-25T20:19:44.317Z",
"dateReserved": "2026-05-07T01:57:05.531Z",
"dateUpdated": "2026-05-26T12:38:12.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43828 (GCVE-0-2026-43828)
Vulnerability from cvelistv5 – Published: 2026-05-25 20:19 – Updated: 2026-05-26 12:38
VLAI
Title
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
Summary
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
1.0 , ≤ 2.1.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:13.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:38:31.723332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:38:38.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-web",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Meteor_Kai \u003c1318723916@qq.com\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDefault configurations of Apache Shiro send sensitive cookies in HTTPS session without \u0027Secure\u0027 attribute.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\u003c/p\u003eIn the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without \u0027secure\u0027 attribute by default.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Default configurations of Apache Shiro send sensitive cookies in HTTPS session without \u0027Secure\u0027 attribute.\n\n\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without \u0027secure\u0027 attribute by default."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:19:26.227Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_43828"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Shiro\u0027s native session and rememberMe cookies do not have secure flag set by default",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-43828",
"datePublished": "2026-05-25T20:19:26.227Z",
"dateReserved": "2026-05-03T19:25:59.025Z",
"dateUpdated": "2026-05-26T12:38:38.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43827 (GCVE-0-2026-43827)
Vulnerability from cvelistv5 – Published: 2026-05-25 20:19 – Updated: 2026-05-26 12:39
VLAI
Title
Apache Shiro: Session fixation: new session is not created after login by default
Summary
Default configurations of Apache Shiro have a session fixation vulnerability.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
1.0 , ≤ 2.1.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:12.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:39:33.503346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:39:39.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-core",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rasmus Moorats \u003cxx@nns.ee\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDefault configurations of Apache Shiro have a s\u003c/span\u003eession fixation vulnerability.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\u003c/p\u003eIn the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Default configurations of Apache Shiro have a session fixation vulnerability.\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:19:03.428Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_43827"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Session fixation: new session is not created after login by default",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-43827",
"datePublished": "2026-05-25T20:19:03.428Z",
"dateReserved": "2026-05-02T22:26:19.626Z",
"dateUpdated": "2026-05-26T12:39:39.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23901 (GCVE-0-2026-23901)
Vulnerability from cvelistv5 – Published: 2026-02-10 09:25 – Updated: 2026-02-10 15:31
VLAI
Title
Apache Shiro: Brute force attack possible to determine valid user names
Summary
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only.
Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 2.0.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-10T10:22:44.721Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/08/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:31:09.515973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T15:31:25.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-core",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "4ra1n"
},
{
"lang": "en",
"type": "finder",
"value": "Y4tacker"
},
{
"lang": "en",
"type": "remediation developer",
"value": "lprimak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eObservable Timing Discrepancy vulnerability in Apache Shiro.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\u003c/p\u003ePrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\u003cbr\u003ethat a brute-force attack may be able to tell, by timing the requests only, determine if\u003cbr\u003ethe request failed because of a non-existent user vs. wrong password.\u003cbr\u003e\u003cbr\u003eThe most likely attack vector is a local attack only.\u003cbr\u003eShiro security model\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://shiro.apache.org/security-model.html#username_enumeration\"\u003ehttps://shiro.apache.org/security-model.html#username_enumeration\u003c/a\u003e\u0026nbsp;discusses this as well.\u003cbr\u003e\u003cbr\u003eTypically, brute force attack can be mitigated at the infrastructure level."
}
],
"value": "Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model\u00a0 https://shiro.apache.org/security-model.html#username_enumeration \u00a0discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T09:25:51.765Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro: Brute force attack possible to determine valid user names",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-23901",
"datePublished": "2026-02-10T09:25:51.765Z",
"dateReserved": "2026-01-17T18:01:53.140Z",
"dateUpdated": "2026-02-10T15:31:25.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23903 (GCVE-0-2026-23903)
Vulnerability from cvelistv5 – Published: 2026-02-09 09:26 – Updated: 2026-02-09 16:17
VLAI
Title
Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems
Summary
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Shiro: before 2.0.7.
Users are recommended to upgrade to version 2.0.7, which fixes the issue.
The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.
Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true
Shiro 3.0.0 and later (upcoming) makes this the default.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-289 - Authentication Bypass by Alternate Name
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 2.0.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-09T10:25:43.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T16:17:20.608697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T16:17:43.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-web",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesse Yang"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Pimak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthentication Bypass by Alternate Name vulnerability in Apache Shiro.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro: before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\u003c/p\u003eThe issue only effects static files. If static files are served from a case-insensitive filesystem,\u003cbr\u003esuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\u003cbr\u003eIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\u003cbr\u003e\u003cbr\u003eShiro 2.0.7 and later has a new parameters to remediate this issue\u003cbr\u003eshiro.ini: \u003cspan style=\"background-color: rgba(129, 139, 152, 0.12);\"\u003efilterChainResolver.caseInsensitive = true\u003cbr\u003e\u003c/span\u003eapplication.propertie: shiro\u003cspan style=\"background-color: rgba(129, 139, 152, 0.12);\"\u003e.caseInsensitive=true\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eShiro 3.0.0 and later (upcoming) makes this the default."
}
],
"value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "CWE-289 Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T09:26:21.772Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-23903",
"datePublished": "2026-02-09T09:26:21.772Z",
"dateReserved": "2026-01-19T01:14:40.103Z",
"dateUpdated": "2026-02-09T16:17:43.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46749 (GCVE-0-2023-46749)
Vulnerability from cvelistv5 – Published: 2024-01-15 09:57 – Updated: 2025-11-03 21:50
VLAI
Title
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Summary
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/mdv7ftz7k4488rzlo… | vendor-advisory |
| https://security.netapp.com/advisory/ntap-2024110… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 1.13.0
(semver)
Affected: 2.0.0-alpha-1 , < 2.0.0-alpha-4 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:50:03.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:15:57.603857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:01:03.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-4",
"status": "affected",
"version": "2.0.0-alpha-1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-20T10:01:32.470Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46749",
"datePublished": "2024-01-15T09:57:31.613Z",
"dateReserved": "2023-10-25T18:55:02.833Z",
"dateUpdated": "2025-11-03T21:50:03.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46750 (GCVE-0-2023-46750)
Vulnerability from cvelistv5 – Published: 2023-12-14 08:15 – Updated: 2025-11-03 21:50
VLAI
Title
Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
Severity
4.7 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 1.13.0
(semver)
Affected: 2.0.0-alpha-1 , < 2.0.0-alpha-4 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:50:05.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240808-0002/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46750",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T17:47:04.429290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:47:51.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-web",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-4",
"status": "affected",
"version": "2.0.0-alpha-1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Claudio Villella"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eURL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability when \"form\" authentication is used in Apache Shiro.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T08:15:58.031Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in FORM authentication feature Apache Shiro.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46750",
"datePublished": "2023-12-14T08:15:58.031Z",
"dateReserved": "2023-10-25T19:11:12.143Z",
"dateUpdated": "2025-11-03T21:50:05.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-34478 (GCVE-0-2023-34478)
Vulnerability from cvelistv5 – Published: 2023-07-24 18:24 – Updated: 2025-02-13 16:55
VLAI
Title
Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Summary
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
0 , < 1.12.0
(semver)
Affected: 0 , < 2.0.0-alpha-3 (semver) |
|
| apache | shiro |
Affected:
0 , < 1.12.0
(custom)
cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* |
|
| apache | shiro |
Affected:
2.0.0alpha1
Affected: 2.0.0alpha2 cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shiro",
"vendor": "apache",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*",
"cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shiro",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "2.0.0alpha1"
},
{
"status": "affected",
"version": "2.0.0alpha2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:25:43.914210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:29:59.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2.0.0-alpha-3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "tkswifty"
},
{
"lang": "en",
"type": "finder",
"value": "Ha1c9on"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emay be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation:\u00a0Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T13:06:33.543Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/24/4"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230915-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-34478",
"datePublished": "2023-07-24T18:24:45.619Z",
"dateReserved": "2023-06-07T18:50:06.956Z",
"dateUpdated": "2025-02-13T16:55:37.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22602 (GCVE-0-2023-22602)
Vulnerability from cvelistv5 – Published: 2023-01-14 09:33 – Updated: 2024-08-02 10:13
VLAI
Title
Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/dzj0k2smpzzgj6g66… | vendor-advisory |
| https://security.netapp.com/advisory/ntap-2023030… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Unaffected:
0 , < 1.11.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230302-0001/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T15:25:09.693167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T15:25:23.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "v3ged0ge and Adamytd"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u0026lt; 2.6 default to Ant style pattern matching.\u003cbr\u003e\u003cp\u003eMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u003c 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-14T09:33:39.775Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22602",
"datePublished": "2023-01-14T09:33:39.775Z",
"dateReserved": "2023-01-03T23:52:40.911Z",
"dateUpdated": "2024-08-02T10:13:49.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40664 (GCVE-0-2022-40664)
Vulnerability from cvelistv5 – Published: 2022-10-12 00:00 – Updated: 2025-05-15 15:02
VLAI
Title
Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher
Summary
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
Apache Shiro , < 1.10.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T15:02:13.459494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T15:02:41.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "Apache Shiro",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like to thank Y4tacker for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"
},
{
"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"
},
{
"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-40664",
"datePublished": "2022-10-12T00:00:00.000Z",
"dateReserved": "2022-09-13T00:00:00.000Z",
"dateUpdated": "2025-05-15T15:02:41.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32532 (GCVE-0-2022-32532)
Vulnerability from cvelistv5 – Published: 2022-06-28 23:20 – Updated: 2024-08-03 07:46
VLAI
Title
Authentication Bypass Vulnerability
Summary
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/y8260dw8vbm99oq7z… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
Before 1.9.1
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:46:43.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Before 1.9.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like the thank 4ra1n for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-28T23:20:11.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-32532",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Before 1.9.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Shiro would like the thank 4ra1n for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-32532",
"datePublished": "2022-06-28T23:20:11.000Z",
"dateReserved": "2022-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T07:46:43.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41303 (GCVE-0-2021-41303)
Vulnerability from cvelistv5 – Published: 2021-09-17 08:20 – Updated: 2024-08-04 03:08
VLAI
Title
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
Summary
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Severity
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/re470be1ffea… | x_refsource_MISC |
| https://lists.apache.org/thread.html/raae98bb934e… | mailing-listx_refsource_MLIST |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2022060… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
Apache Shiro , < 1.8.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:32.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "Apache Shiro",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Shiro would like to thank tsug0d for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:38:40.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-41303",
"STATE": "PUBLIC",
"TITLE": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Shiro",
"version_value": "1.8.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Shiro would like to thank tsug0d for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"
},
{
"name": "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220609-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220609-0001/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-41303",
"datePublished": "2021-09-17T08:20:12.000Z",
"dateReserved": "2021-09-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:08:32.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17523 (GCVE-0-2020-17523)
Vulnerability from cvelistv5 – Published: 2021-02-03 16:55 – Updated: 2024-08-04 14:00
VLAI
Summary
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Severity
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/rce5943430a6… | x_refsource_MISC |
| https://lists.apache.org/thread.html/r5b93ddf97e2… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rd4b613e1214… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r9d93dfb5df0… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/re25b8317b00… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r679ca978133… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r8244fd0831d… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r852971e28f5… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache Shiro |
Affected:
before 1.7.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before 1.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T02:06:26.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17523",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "before 1.7.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17523",
"datePublished": "2021-02-03T16:55:18.000Z",
"dateReserved": "2020-08-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:00:48.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17510 (GCVE-0-2020-17510)
Vulnerability from cvelistv5 – Published: 2020-11-05 20:17 – Updated: 2024-08-04 14:00
VLAI
Summary
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Severity
No CVSS data available.
CWE
- Authentication Bypass
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/rc2cff2538b6… | x_refsource_MISC |
| https://lists.apache.org/thread.html/r95bdf370385… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r70098e336d0… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rb47d88af224… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r575301804bf… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r70b907ccb30… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r9d93dfb5df0… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/re25b8317b00… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r852971e28f5… | mailing-listx_refsource_MLIST |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache Shiro |
Affected:
Apache Shiro to 1.7.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Shiro",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Shiro to 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-03T03:06:18.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Shiro",
"version": {
"version_data": [
{
"version_value": "Apache Shiro to 1.7.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"
},
{
"name": "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6@%3Cannounce.apache.org%3E"
},
{
"name": "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17510",
"datePublished": "2020-11-05T20:17:36.000Z",
"dateReserved": "2020-08-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:00:48.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}