CVE-2020-11989
Description
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Shiro before 1.5.3 with Spring dynamic controllers allows authentication bypass via specially crafted requests.
Vulnerability
Overview
CVE-2020-11989 is an authentication bypass vulnerability in Apache Shiro versions prior to 1.5.3. The flaw occurs when Shiro is used in conjunction with Spring dynamic controllers. A specially crafted HTTP request can cause Shiro to incorrectly evaluate authentication checks, allowing an attacker to bypass security controls [1].
Exploitation
To exploit this vulnerability, the target application must be using Apache Shiro with Spring dynamic controllers. The attacker does not need prior authentication; they only need network access to send a malicious request. The crafted request manipulates the request path or parameters in a way that Shiro fails to properly match against its security rules, thereby skipping authentication [1].
Impact
Successful exploitation allows an attacker to bypass authentication entirely. This can lead to unauthorized access to protected resources, including administrative interfaces, sensitive data, or functionality that should require authentication. The impact is high as it undermines the core security mechanism of the application [1].
Mitigation
The vulnerability is fixed in Apache Shiro version 1.5.3. Users should upgrade to this version or later. No workarounds are documented; upgrading is the recommended action [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.5.3 | 1.5.3 |
Affected products
2- Apache Software Foundation/Apache Shirov5Range: Apache Shiro 1.5.2 - 1.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- github.com/advisories/GHSA-72w9-fcj5-3fcgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11989ghsaADVISORY
- lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3Eghsax_refsource_MISCmailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.