Maven package
org.apache.shiro/shiro-core
pkg:maven/org.apache.shiro/shiro-core
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23901 | — | < 2.1.0 | 2.1.0 | Feb 10, 2026 | Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are | ||
| CVE-2023-46749 | — | < 1.13.0 | 1.13.0 | Jan 15, 2024 | Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this i | ||
| CVE-2022-40664 | — | < 1.10.0 | 1.10.0 | Oct 12, 2022 | Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. | ||
| CVE-2022-32532 | — | < 1.9.1 | 1.9.1 | Jun 28, 2022 | Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. | ||
| CVE-2021-41303 | — | < 1.8.0 | 1.8.0 | Sep 17, 2021 | Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0. | ||
| CVE-2020-13933 | — | < 1.6.0 | 1.6.0 | Aug 17, 2020 | Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. | ||
| CVE-2020-11989 | — | < 1.5.3 | 1.5.3 | Jun 22, 2020 | Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | ||
| CVE-2020-1957 | — | < 1.5.2 | 1.5.2 | Mar 25, 2020 | Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | ||
| CVE-2019-12422 | — | < 1.4.2 | 1.4.2 | Nov 18, 2019 | Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. | ||
| CVE-2016-4437 | Cri | 9.8 | KEV | < 1.2.5 | 1.2.5 | Jun 7, 2016 | Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. |
- CVE-2026-23901Feb 10, 2026affected < 2.1.0fixed 2.1.0
Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are
- CVE-2023-46749Jan 15, 2024affected < 1.13.0fixed 1.13.0
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this i
- CVE-2022-40664Oct 12, 2022affected < 1.10.0fixed 1.10.0
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
- CVE-2022-32532Jun 28, 2022affected < 1.9.1fixed 1.9.1
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
- CVE-2021-41303Sep 17, 2021affected < 1.8.0fixed 1.8.0
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
- CVE-2020-13933Aug 17, 2020affected < 1.6.0fixed 1.6.0
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
- CVE-2020-11989Jun 22, 2020affected < 1.5.3fixed 1.5.3
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
- CVE-2020-1957Mar 25, 2020affected < 1.5.2fixed 1.5.2
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
- CVE-2019-12422Nov 18, 2019affected < 1.4.2fixed 1.4.2
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
- affected < 1.2.5fixed 1.2.5
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.