CVE-2020-13933
Description
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Shiro before 1.6.0 allows authentication bypass via a specially crafted HTTP request, enabling unauthorized access.
Vulnerability
Overview
CVE-2020-13933 is an authentication bypass vulnerability in Apache Shiro, a Java security framework. The flaw exists in versions prior to 1.6.0 and allows an attacker to bypass authentication mechanisms by sending a specially crafted HTTP request. The root cause lies in how Shiro processes certain request parameters, which can be manipulated to circumvent the authentication checks [1].
Exploitation
Conditions
Exploitation requires network access to an application using Apache Shiro for authentication. No prior authentication is needed; the attacker sends a malicious HTTP request that triggers the bypass. The exact request structure is not publicly detailed, but the vulnerability is triggered by crafting specific input that Shiro fails to validate correctly [1].
Impact
Successful exploitation allows an attacker to bypass authentication entirely, gaining unauthorized access to protected resources or functionality. This could lead to privilege escalation, data exposure, or further compromise of the application [1].
Mitigation
The vulnerability is fixed in Apache Shiro version 1.6.0. Users should upgrade to this version or later. No workarounds are documented. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.6.0 | 1.6.0 |
Affected products
2- Apache/Shirodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
32- github.com/advisories/GHSA-2vgm-wxr3-6w2jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13933ghsaADVISORY
- lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/08/msg00002.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.