CVE-2020-1957
Description
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Shiro before 1.5.2 allows authentication bypass via specially crafted requests when used with Spring dynamic controllers.
Vulnerability
Overview
CVE-2020-1957 is an authentication bypass vulnerability in Apache Shiro versions prior to 1.5.2. The root cause lies in how Shiro's URL path matching interacts with Spring dynamic controllers. When a specially crafted request is sent, Shiro may fail to apply authentication filters, allowing the request to reach a protected resource without proper credentials [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to a target application that uses Apache Shiro with Spring dynamic controllers. The attack does not require prior authentication and can be performed remotely. The crafted request exploits a discrepancy between Shiro's path matching logic and Spring's controller mapping, causing Shiro to incorrectly treat the request as unauthenticated [1].
Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and access protected resources. This could lead to unauthorized data access, privilege escalation, or further compromise of the application and its underlying systems [1].
Mitigation
The vulnerability is fixed in Apache Shiro version 1.5.2. Users are strongly advised to upgrade to this version or later. No workarounds are documented. The Apache Shiro project provides the fix in the official repository [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.5.2 | 1.5.2 |
Affected products
2- Apache/Shirodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- github.com/advisories/GHSA-26gr-cvq3-qxgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1957ghsaADVISORY
- lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/04/msg00014.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.