High severityNVD Advisory· Published Jan 14, 2023· Updated Aug 2, 2024
Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
CVE-2023-22602
Description
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-rootMaven | < 1.11.0 | 1.11.0 |
Affected products
8- osv-coords7 versionspkg:deb/ubuntu/shiro?arch=src?distro=esm-apps/bionicpkg:deb/ubuntu/shiro?arch=src?distro=esm-apps/xenialpkg:deb/ubuntu/shiro?arch=src?distro=focalpkg:deb/ubuntu/shiro?arch=src?distro=jammypkg:deb/ubuntu/shiro?arch=src?distro=noblepkg:deb/ubuntu/shiro?arch=src?distro=oracularpkg:maven/org.apache.shiro/shiro-root
>= 0+ 6 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 1.11.0
- Apache Software Foundation/Apache Shirov5Range: 0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-7cxr-h8wm-fg4cghsaADVISORY
- lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhklghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-22602ghsaADVISORY
News mentions
0No linked articles in our index yet.