When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
References
Link | Resource |
---|---|
https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | Mailing List Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
07 Nov 2023, 04:07
Type | Values Removed | Values Added |
---|---|---|
Summary | When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` |
27 Jan 2023, 15:57
Type | Values Removed | Values Added |
---|---|---|
First Time |
Apache
Vmware Apache shiro Vmware spring Boot |
|
References | (MISC) https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl - Mailing List, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_boot:2.6.0:\+:*:*:*:*:*:* |
14 Jan 2023, 10:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-01-14 10:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-22602
Mitre link : CVE-2023-22602
CVE.ORG link : CVE-2023-22602
JSON object : View
Products Affected
vmware
- spring_boot
apache
- shiro
CWE
CWE-436
Interpretation Conflict