Authentication Bypass Vulnerability

Vulnerability

Analysis

CVE-2022-32532 is an authorization bypass vulnerability in Apache Shiro versions prior to 1.9.1. The flaw exists in the RegexRequestMatcher component when using RegExPatternMatcher configurations. If the regular expression pattern includes a . (dot), it can be misconfigured to be bypassed on certain servlet containers, allowing unauthorized requests to pass through security checks [1][2].

Exploitation

Exploitation requires an application using Apache Shiro's regex-based request matching with a pattern that contains a literal dot (e.g., to match a specific URL path). On some servlet containers, the dot may not be matched as expected, causing the request matcher to incorrectly consider a request as not matching the pattern, thereby skipping authorization enforcement. No authentication is needed to trigger the bypass; the attacker simply sends a crafted request to a protected resource [1].

Impact

Successful exploitation could allow an unauthenticated attacker to access resources that are intended to be protected by authorization rules. This can lead to exposure of sensitive functionality or data, depending on what the bypassed pattern was meant to secure [1].

Mitigation

Apache Shiro 1.9.1 and later contain a fix for this issue. Users are advised to upgrade to the latest version. For applications that cannot immediately upgrade, reviewing and adjusting regex patterns to avoid reliance on literal dots in RegExPatternMatcher may reduce risk [1][2].