Vulnerabilites related to apache - shiro
cve-2020-11989
Vulnerability from cvelistv5
Published
2020-06-22 18:06
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Apache Shiro 1.5.2 - 1.5.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:48:57.710Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Shiro 1.5.2 - 1.5.3", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, ], problemTypes: [ { descriptions: [ { description: "Authentication Bypass by Primary Weakness", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-17T18:06:18", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-11989", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "Apache Shiro 1.5.2 - 1.5.3", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Authentication Bypass by Primary Weakness", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { name: "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E", }, { name: "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-11989", datePublished: "2020-06-22T18:06:37", dateReserved: "2020-04-21T00:00:00", dateUpdated: "2024-08-04T11:48:57.710Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-13933
Vulnerability from cvelistv5
Published
2020-08-17 20:19
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Shiro |
Version: Apache Shiro before version 1.6.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T12:32:14.332Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E", }, { name: "[geode-dev] 20200831 Proposal to bring GEODE-8456 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200901 Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E", }, { name: "[shiro-dev] 20200924 Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201004 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201217 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201219 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201220 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { name: "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "n/a", versions: [ { status: "affected", version: "Apache Shiro before version 1.6.0", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-03T03:06:15", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E", }, { name: "[geode-dev] 20200831 Proposal to bring GEODE-8456 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200901 Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E", }, { name: "[shiro-dev] 20200924 Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201004 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201217 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201219 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201220 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { name: "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-13933", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "Apache Shiro before version 1.6.0", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E", }, { name: "[geode-dev] 20200831 Proposal to bring GEODE-8456 (shiro upgrade) to support branches", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200901 Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E", }, { name: "[shiro-dev] 20200924 Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201004 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201217 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201219 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201220 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E", }, { name: "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-13933", datePublished: "2020-08-17T20:19:53", dateReserved: "2020-06-08T00:00:00", dateUpdated: "2024-08-04T12:32:14.332Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-34478
Vulnerability from cvelistv5
Published
2023-07-24 18:24
Modified
2025-02-13 16:55
Severity ?
EPSS score ?
Summary
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:10:07.042Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2023/07/24/4", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20230915-0005/", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "shiro", vendor: "apache", versions: [ { lessThan: "1.12.0", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "shiro", vendor: "apache", versions: [ { status: "affected", version: "2.0.0alpha1", }, { status: "affected", version: "2.0.0alpha2", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-34478", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-02T18:25:43.914210Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-02T18:29:59.782Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.12.0", status: "affected", version: "0", versionType: "semver", }, { lessThan: "2.0.0-alpha-3", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "tkswifty", }, { lang: "en", type: "finder", value: "Ha1c9on", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, <span style=\"background-color: rgb(255, 255, 255);\">may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.<br><br><strong>Mitigation:</strong><span style=\"background-color: rgb(255, 255, 255);\"> Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+</span></span><br>", }, ], value: "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-15T13:06:33.543Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk", }, { url: "http://www.openwall.com/lists/oss-security/2023/07/24/4", }, { url: "https://security.netapp.com/advisory/ntap-20230915-0005/", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-34478", datePublished: "2023-07-24T18:24:45.619Z", dateReserved: "2023-06-07T18:50:06.956Z", dateUpdated: "2025-02-13T16:55:37.269Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-22602
Vulnerability from cvelistv5
Published
2023-01-14 09:33
Modified
2024-08-02 10:13
Severity ?
EPSS score ?
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:13:49.411Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20230302-0001/", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-22602", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-01T15:25:09.693167Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-01T15:25:23.157Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.11.0", status: "unaffected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "v3ged0ge and Adamytd", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.<br><br></span>The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.<br><p>Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`<br></p>", }, ], value: "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\n\n\n", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-436", description: "CWE-436 Interpretation Conflict", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-14T09:33:39.775Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-22602", datePublished: "2023-01-14T09:33:39.775Z", dateReserved: "2023-01-03T23:52:40.911Z", dateUpdated: "2024-08-02T10:13:49.411Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-46750
Vulnerability from cvelistv5
Published
2023-12-14 08:15
Modified
2024-08-08 13:05
Severity ?
EPSS score ?
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 2.0.0-alpha-1 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-08T13:05:17.314Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9", }, { url: "https://security.netapp.com/advisory/ntap-20240808-0002/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2", defaultStatus: "unaffected", packageName: "org.apache.shiro:shiro-web", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.13.0", status: "affected", version: "0", versionType: "semver", }, { lessThan: "2.0.0-alpha-4", status: "affected", version: "2.0.0-alpha-1", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Claudio Villella", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.<br><span style=\"background-color: rgb(255, 255, 255);\">Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.</span></span><br>", }, ], value: "URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-14T08:15:58.031Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-46750", datePublished: "2023-12-14T08:15:58.031Z", dateReserved: "2023-10-25T19:11:12.143Z", dateUpdated: "2024-08-08T13:05:17.314Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-40664
Vulnerability from cvelistv5
Published
2022-10-12 00:00
Modified
2024-08-03 12:21
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Apache Shiro < 1.10.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:21:46.341Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg", }, { name: "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/1", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/2", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/1", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20221118-0005/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.10.0", status: "affected", version: "Apache Shiro", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Shiro would like to thank Y4tacker for reporting this issue", }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-18T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg", }, { name: "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/1", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/2", }, { name: "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/1", }, { url: "https://security.netapp.com/advisory/ntap-20221118-0005/", }, ], source: { discovery: "UNKNOWN", }, title: "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-40664", datePublished: "2022-10-12T00:00:00", dateReserved: "2022-09-13T00:00:00", dateUpdated: "2024-08-03T12:21:46.341Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-17510
Vulnerability from cvelistv5
Published
2020-11-05 20:17
Modified
2024-08-04 14:00
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Shiro |
Version: Apache Shiro to 1.7.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:00:48.649Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E", }, { name: "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E", }, { name: "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { name: "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "n/a", versions: [ { status: "affected", version: "Apache Shiro to 1.7.0", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", }, ], problemTypes: [ { descriptions: [ { description: "Authentication Bypass", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-03T03:06:18", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E", }, { name: "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E", }, { name: "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { name: "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-17510", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "Apache Shiro to 1.7.0", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Authentication Bypass", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E", }, { name: "[announce] 20201105 [CVE-2020-17510] Apache Shiro 1.7.0 released", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6@%3Cannounce.apache.org%3E", }, { name: "[shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210130 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210316 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E", }, { name: "[debian-lts-announce] 20210802 [SECURITY] [DLA 2726-1] shiro security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-17510", datePublished: "2020-11-05T20:17:36", dateReserved: "2020-08-12T00:00:00", dateUpdated: "2024-08-04T14:00:48.649Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-0074
Vulnerability from cvelistv5
Published
2014-10-06 14:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2014/Mar/22 | mailing-list, x_refsource_FULLDISC | |
| https://issues.apache.org/jira/browse/SHIRO-460 | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2014-1351.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T09:05:38.510Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "20140303 [Announce] Apache Shiro 1.2.3 Released - Security Advisory", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2014/Mar/22", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://issues.apache.org/jira/browse/SHIRO-460", }, { name: "RHSA-2014:1351", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1351.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-03-03T00:00:00", descriptions: [ { lang: "en", value: "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-10-06T13:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "20140303 [Announce] Apache Shiro 1.2.3 Released - Security Advisory", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2014/Mar/22", }, { tags: [ "x_refsource_MISC", ], url: "https://issues.apache.org/jira/browse/SHIRO-460", }, { name: "RHSA-2014:1351", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1351.html", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-0074", datePublished: "2014-10-06T14:00:00", dateReserved: "2013-12-03T00:00:00", dateUpdated: "2024-08-06T09:05:38.510Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-32532
Vulnerability from cvelistv5
Published
2022-06-28 23:20
Modified
2024-08-03 07:46
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Before 1.9.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:46:43.634Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Before 1.9.1", }, ], }, ], credits: [ { lang: "en", value: "Apache Shiro would like the thank 4ra1n for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-06-28T23:20:11", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, ], source: { discovery: "UNKNOWN", }, title: "Authentication Bypass Vulnerability", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-32532", STATE: "PUBLIC", TITLE: "Authentication Bypass Vulnerability", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "Before 1.9.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Shiro would like the thank 4ra1n for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-863 Incorrect Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", refsource: "MISC", url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-32532", datePublished: "2022-06-28T23:20:11", dateReserved: "2022-06-07T00:00:00", dateUpdated: "2024-08-03T07:46:43.634Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2010-3863
Vulnerability from cvelistv5
Published
2010-11-05 16:28
Modified
2024-08-07 03:26
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/44616 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/41989 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/69067 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/archive/1/514616/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html | mailing-list, x_refsource_FULLDISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/62959 | vdb-entry, x_refsource_XF | |
| http://www.vupen.com/english/advisories/2010/2888 | vdb-entry, x_refsource_VUPEN |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T03:26:11.892Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "44616", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/44616", }, { name: "41989", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/41989", }, { name: "69067", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://osvdb.org/69067", }, { name: "20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/514616/100/0/threaded", }, { name: "20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html", }, { name: "shiro-filters-security-bypass(62959)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959", }, { name: "ADV-2010-2888", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2010/2888", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2010-11-02T00:00:00", descriptions: [ { lang: "en", value: "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-10T18:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "44616", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/44616", }, { name: "41989", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/41989", }, { name: "69067", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://osvdb.org/69067", }, { name: "20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/514616/100/0/threaded", }, { name: "20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html", }, { name: "shiro-filters-security-bypass(62959)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959", }, { name: "ADV-2010-2888", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2010/2888", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2010-3863", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "44616", refsource: "BID", url: "http://www.securityfocus.com/bid/44616", }, { name: "41989", refsource: "SECUNIA", url: "http://secunia.com/advisories/41989", }, { name: "69067", refsource: "OSVDB", url: "http://osvdb.org/69067", }, { name: "20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/514616/100/0/threaded", }, { name: "20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability", refsource: "FULLDISC", url: "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html", }, { name: "shiro-filters-security-bypass(62959)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959", }, { name: "ADV-2010-2888", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2010/2888", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2010-3863", datePublished: "2010-11-05T16:28:00", dateReserved: "2010-10-08T00:00:00", dateUpdated: "2024-08-07T03:26:11.892Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-12422
Vulnerability from cvelistv5
Published
2019-11-18 22:04
Modified
2024-08-04 23:17
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T23:17:39.997Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[shiro-dev] 20191118 [ANNOUNCE][CVE-2019-12422] Apache Shiro 1.4.2 released", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Shiro", vendor: "Apache", versions: [ { status: "affected", version: "to 1.4.1", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack.", }, ], problemTypes: [ { descriptions: [ { description: "Weak Cookie Vulnerability", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-06-22T19:06:24", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "[shiro-dev] 20191118 [ANNOUNCE][CVE-2019-12422] Apache Shiro 1.4.2 released", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2019-12422", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Shiro", version: { version_data: [ { version_value: "to 1.4.1", }, ], }, }, ], }, vendor_name: "Apache", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Weak Cookie Vulnerability", }, ], }, ], }, references: { reference_data: [ { name: "[shiro-dev] 20191118 [ANNOUNCE][CVE-2019-12422] Apache Shiro 1.4.2 released", refsource: "MLIST", url: "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2019-12422", datePublished: "2019-11-18T22:04:21", dateReserved: "2019-05-28T00:00:00", dateUpdated: "2024-08-04T23:17:39.997Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-6802
Vulnerability from cvelistv5
Published
2016-09-20 19:00
Modified
2024-08-06 01:43
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/539397/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/92947 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T01:43:37.909Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "20160913 [ANNOUNCE][CVE-2016-6802] Apache Shiro 1.3.2 released", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/539397/100/0/threaded", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html", }, { name: "92947", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/92947", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-09-13T00:00:00", descriptions: [ { lang: "en", value: "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-09T18:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "20160913 [ANNOUNCE][CVE-2016-6802] Apache Shiro 1.3.2 released", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/539397/100/0/threaded", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html", }, { name: "92947", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/92947", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-6802", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "20160913 [ANNOUNCE][CVE-2016-6802] Apache Shiro 1.3.2 released", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/539397/100/0/threaded", }, { name: "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html", }, { name: "92947", refsource: "BID", url: "http://www.securityfocus.com/bid/92947", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-6802", datePublished: "2016-09-20T19:00:00", dateReserved: "2016-08-12T00:00:00", dateUpdated: "2024-08-06T01:43:37.909Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-46749
Vulnerability from cvelistv5
Published
2024-01-15 09:57
Modified
2024-08-02 20:53
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: 0 ≤ Version: 2.0.0-alpha-1 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:53:21.049Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.13.0", status: "affected", version: "0", versionType: "semver", }, { lessThan: "2.0.0-alpha-4", status: "affected", version: "2.0.0-alpha-1", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting <br><br><span style=\"background-color: rgb(255, 255, 255);\">Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).<br></span><br>", }, ], value: "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-20T10:01:32.470Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-46749", datePublished: "2024-01-15T09:57:31.613Z", dateReserved: "2023-10-25T18:55:02.833Z", dateUpdated: "2024-08-02T20:53:21.049Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-17523
Vulnerability from cvelistv5
Published
2021-02-03 16:55
Modified
2024-08-04 14:00
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Shiro |
Version: before 1.7.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:00:48.826Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E", }, { name: "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E", }, { name: "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "n/a", versions: [ { status: "affected", version: "before 1.7.1", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-05T02:06:26", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E", }, { name: "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E", }, { name: "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-17523", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "before 1.7.1", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E", }, { name: "[activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E", }, { name: "[activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E", }, { name: "[shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E", }, { name: "[shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E", }, { name: "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", }, { name: "[shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-17523", datePublished: "2021-02-03T16:55:18", dateReserved: "2020-08-12T00:00:00", dateUpdated: "2024-08-04T14:00:48.826Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41303
Vulnerability from cvelistv5
Published
2021-09-17 08:20
Modified
2024-08-04 03:08
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E | x_refsource_MISC | |
| https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220609-0001/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Version: Apache Shiro < 1.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:32.012Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { name: "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.8.0", status: "affected", version: "Apache Shiro", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Shiro would like to thank tsug0d for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:38:40", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { name: "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-41303", STATE: "PUBLIC", TITLE: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_affected: "<", version_name: "Apache Shiro", version_value: "1.8.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Shiro would like to thank tsug0d for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-287 Improper Authentication", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { name: "[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass", refsource: "MLIST", url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20220609-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-41303", datePublished: "2021-09-17T08:20:12", dateReserved: "2021-09-16T00:00:00", dateUpdated: "2024-08-04T03:08:32.012Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-1957
Vulnerability from cvelistv5
Published
2020-03-25 15:24
Modified
2024-08-04 06:54
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Shiro |
Version: Apache Shiro to 1.5.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T06:54:00.565Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E", }, { name: "[camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E", }, { name: "[geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E", }, { name: "[debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Shiro", vendor: "n/a", versions: [ { status: "affected", version: "Apache Shiro to 1.5.2", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, ], problemTypes: [ { descriptions: [ { description: "Authentication Bypass", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-17T18:06:18", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E", }, { name: "[camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E", }, { name: "[geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E", }, { name: "[debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-1957", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Shiro", version: { version_data: [ { version_value: "Apache Shiro to 1.5.2", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Authentication Bypass", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E", }, { name: "[camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E", }, { name: "[geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E", }, { name: "[debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html", }, { name: "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E", }, { name: "[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-1957", datePublished: "2020-03-25T15:24:27", dateReserved: "2019-12-02T00:00:00", dateUpdated: "2024-08-04T06:54:00.565Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-4437
Vulnerability from cvelistv5
Published
2016-06-07 14:00
Modified
2025-02-07 13:29
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2035.html | vendor-advisory, x_refsource_REDHAT | |
| https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2016-2036.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/91024 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/538570/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T00:32:24.897Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2016-4437", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T13:29:14.189192Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2021-11-03", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2016-4437", }, type: "kev", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-321", description: "CWE-321 Use of Hard-coded Cryptographic Key", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-07T13:29:17.376Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-06-03T00:00:00.000Z", descriptions: [ { lang: "en", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-04-29T17:06:16.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-4437", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E", }, { name: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", refsource: "BID", url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { name: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-4437", datePublished: "2016-06-07T14:00:00.000Z", dateReserved: "2016-05-02T00:00:00.000Z", dateUpdated: "2025-02-07T13:29:17.376Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2020-11-05 21:15
Modified
2024-11-21 05:08
Severity ?
Summary
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| debian | debian_linux | 9.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "FFD2A206-696A-456F-841D-64695F141426", versionEndExcluding: "1.7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.7.0, cuando se usa Apache Shiro con Spring, una petición HTTP especialmente diseñada puede causar una omisión de autenticación", }, ], id: "CVE-2020-17510", lastModified: "2024-11-21T05:08:15.427", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-11-05T21:15:12.537", references: [ { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6%40%3Cannounce.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-01-15 10:15
Modified
2024-11-21 08:29
Severity ?
Summary
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "4506F25B-7525-4608-9541-2FA9A31C72BF", versionEndExcluding: "1.13.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "27D6F919-851F-470D-A8E7-0F56C1EA16FC", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*", matchCriteriaId: "A759179A-E4A9-4A6A-9CCB-5BB9CC73F7E7", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha3:*:*:*:*:*:*", matchCriteriaId: "637D39D2-0D98-4137-8D48-C6D8834E07B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n", }, { lang: "es", value: "Apache Shiro anterior a 1.130 o 2.0.0-alpha-4 puede ser susceptible a un ataque de path traversal que da como resultado una omisión de autenticación cuando se usa junto con path rewriting. Mitigación: actualice a Apache Shiro 1.13.0+ o 2.0.0-alpha- 4+, o asegúrese de que `blockSemicolon` esté habilitado (este es el valor predeterminado).", }, ], id: "CVE-2023-46749", lastModified: "2024-11-21T08:29:13.427", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-15T10:15:26.380", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-09-20 19:59
Modified
2025-04-12 10:46
Severity ?
Summary
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/539397/100/0/threaded | ||
| cve@mitre.org | http://www.securityfocus.com/bid/92947 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/539397/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92947 | Third Party Advisory, VDB Entry |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:1.3.1:*:*:*:*:*:*:*", matchCriteriaId: "EB1C2605-99B3-4020-8329-39E3C67F1E7F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.", }, { lang: "es", value: "Apache Shiro en versiones anteriores a 1.3.2 permite atacantes eludir los filtros de servlet destinados y obtener acceso aprovechando el uso una de ruta de contexto servlet sin ser root .", }, ], id: "CVE-2016-6802", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-09-20T19:59:00.137", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/archive/1/539397/100/0/threaded", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/92947", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/archive/1/539397/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/92947", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-14 10:15
Modified
2024-11-21 07:45
Severity ?
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230302-0001/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| vmware | spring_boot | 2.6.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "A43087B9-1941-4A90-AF30-331C19BF9A87", versionEndExcluding: "1.11.0", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:vmware:spring_boot:2.6.0:\\+:*:*:*:*:*:*", matchCriteriaId: "74809806-E086-4EFF-8268-3EFF39AB5EF4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`\n\n\n", }, { lang: "es", value: "Cuando se utiliza Apache Shiro anterior a 1.11.0 junto con Spring Boot 2.6+, una solicitud HTTP especialmente manipulada puede provocar una omisión de autenticación. La omisión de autenticación se produce cuando Shiro y Spring Boot utilizan diferentes técnicas de coincidencia de patrones. Tanto Shiro como Spring Boot < 2.6 por defecto utiliza la coincidencia de patrones de estilo Ant. Mitigación: actualice a Apache Shiro 1.11.0 o establezca el siguiente valor de configuración de Spring Boot: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`", }, ], id: "CVE-2023-22602", lastModified: "2024-11-21T07:45:02.740", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-14T10:15:09.140", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20230302-0001/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-436", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-08-17 21:15
Modified
2024-11-21 05:02
Severity ?
Summary
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| debian | debian_linux | 9.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "3A1E6484-27EC-4428-AD24-0D3296581F92", versionEndExcluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.6.0, cuando se usa Apache Shiro, una petición HTTP especialmente diseñada puede causar una omisión de autenticación.", }, ], id: "CVE-2020-13933", lastModified: "2024-11-21T05:02:10.570", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-08-17T21:15:11.647", references: [ { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198%40%3Cdev.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7%40%3Cdev.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-06-07 14:06
Modified
2025-04-12 10:46
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
Impacted products
{ cisaActionDue: "2022-05-03", cisaExploitAdd: "2021-11-03", cisaRequiredAction: "Apply updates per vendor instructions.", cisaVulnerabilityName: "Apache Shiro Code Execution Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:aurora:*:*:*:*:*:*:*:*", matchCriteriaId: "5E4E49B7-6247-4353-A80D-ADE138DD0967", versionEndExcluding: "0.18.1", versionStartIncluding: "0.10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "2BF5BF73-85B5-4422-B100-EE22B38F574A", versionEndExcluding: "1.2.5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*", matchCriteriaId: "A0FED4EE-0AE2-4BD8-8DAC-143382E4DB7C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, { lang: "es", value: "Apache Shiro en versiones anteriores a 1.2.5, cuando una clave de cifrado no ha sido configurada por la característica \"remember me\", permite a atacantes remotos ejecutar código arbitrario o eludir las restricciones destinadas al acceso a través de un parámetro request no especificado.", }, ], id: "CVE-2016-4437", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2016-06-07T14:06:13.247", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91024", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91024", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-321", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-24 19:15
Modified
2025-02-13 17:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "AB0BFCA3-CB88-4DCC-9950-B8065EB192F9", versionEndExcluding: "1.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "27D6F919-851F-470D-A8E7-0F56C1EA16FC", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*", matchCriteriaId: "A759179A-E4A9-4A6A-9CCB-5BB9CC73F7E7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+", }, { lang: "es", value: "Apache Shiro, antes de 1.12.0 o 2.0.0-alpha-3, puede ser susceptible a un ataque de Path Traversal que resulta en una omisión de autenticación cuando se usa junto con API u otros marcos web que enrutan solicitudes basadas en solicitudes no normalizadas. Mitigación: actualización a Apache Shiro 1.12.0+ o 2.0.0-alpha-3+ ", }, ], id: "CVE-2023-34478", lastModified: "2025-02-13T17:16:38.883", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-07-24T19:15:10.630", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2023/07/24/4", }, { source: "security@apache.org", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk", }, { source: "security@apache.org", url: "https://security.netapp.com/advisory/ntap-20230915-0005/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2023/07/24/4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20230915-0005/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-10-12 07:15
Modified
2024-11-21 07:21
Severity ?
Summary
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "2D80A654-E0DF-4E5D-8EB7-819A50F76F26", versionEndExcluding: "1.10.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.10.0, una vulnerabilidad de Omisión de Autenticación en Shiro cuando es reenviado o es incluida por medio de RequestDispatcher", }, ], id: "CVE-2022-40664", lastModified: "2024-11-21T07:21:49.007", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-10-12T07:15:09.100", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/1", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/2", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/1", }, { source: "security@apache.org", tags: [ "Mailing List", "Release Notes", "Vendor Advisory", ], url: "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg", }, { source: "security@apache.org", tags: [ "Broken Link", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221118-0005/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/12/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Release Notes", "Vendor Advisory", ], url: "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221118-0005/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2010-11-05 17:00
Modified
2025-04-11 00:51
Severity ?
Summary
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "36E31AB0-3484-46E1-8C7A-5FAA92B21167", versionEndIncluding: "1.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:jsecurity:jsecurity:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "A9B625E5-8D60-4E40-B887-DDC8B21FB2F7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", }, { lang: "es", value: "Apache Shiro anterior a v1.1.0 y JSecurity v0.9.x, no canoniza rutas URI antes de compararlas como entradas en el archivo shiro.ini, lo cual permite a atacantes remotos evitar las restricciones de acceso mediante una solicitud manipulada, como lo demuestra la URI /./account/index.jsp", }, ], id: "CVE-2010-3863", lastModified: "2025-04-11T00:51:21.963", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2010-11-05T17:00:02.577", references: [ { source: "secalert@redhat.com", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html", }, { source: "secalert@redhat.com", url: "http://osvdb.org/69067", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/41989", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/archive/1/514616/100/0/threaded", }, { source: "secalert@redhat.com", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/44616", }, { source: "secalert@redhat.com", url: "http://www.vupen.com/english/advisories/2010/2888", }, { source: "secalert@redhat.com", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://osvdb.org/69067", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/41989", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/archive/1/514616/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/44616", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.vupen.com/english/advisories/2010/2888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-12-14 09:15
Modified
2024-11-21 08:29
Severity ?
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "4506F25B-7525-4608-9541-2FA9A31C72BF", versionEndExcluding: "1.13.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "27D6F919-851F-470D-A8E7-0F56C1EA16FC", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*", matchCriteriaId: "A759179A-E4A9-4A6A-9CCB-5BB9CC73F7E7", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:2.0.0:alpha3:*:*:*:*:*:*", matchCriteriaId: "637D39D2-0D98-4137-8D48-C6D8834E07B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n", }, { lang: "es", value: "Vulnerabilidad de redirección de URL a un sitio que no es de confianza (\"Open Redirect\") cuando se utiliza la autenticación de \"formulario\" en Apache Shiro. Mitigación: actualice a Apache Shiro 1.13.0+ o 2.0.0-alpha-4+.", }, ], id: "CVE-2023-46750", lastModified: "2024-11-21T08:29:13.547", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-14T09:15:42.107", references: [ { source: "security@apache.org", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20240808-0002/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-11-18 23:15
Modified
2024-11-21 04:22
Severity ?
Summary
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "ADE7954C-665D-44AD-B87B-D3E7AFD258A3", versionEndExcluding: "1.4.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.4.2, cuando se usa la configuración predeterminada \"remember me\", las cookies pueden ser susceptibles a un ataque de padding.", }, ], id: "CVE-2019-12422", lastModified: "2024-11-21T04:22:48.657", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-11-18T23:15:11.360", references: [ { source: "security@apache.org", url: "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-10-06 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "1593675C-A4A3-4EBF-B7E0-40287055FBC3", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "EB73A4C6-E13B-41FB-A985-A922AC93E710", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "75049BAF-B1F1-4AD4-89CA-CAB59A4D8FC4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "04EC6B5A-24AF-45A7-9759-082CCB006F65", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "97A620B6-F598-4C13-916F-B66521335687", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.", }, { lang: "es", value: "Apache Shiro 1.x anterior a 1.2.3, cuando se utiliza un servidor LDAP con bind no autenticado habilitado, permite a atacantes remotos evadir la autenticación a través de (1) un nombre de usuario vació o (2) una contraseña vacía.", }, ], id: "CVE-2014-0074", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-10-06T14:55:08.063", references: [ { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-1351.html", }, { source: "secalert@redhat.com", url: "http://seclists.org/fulldisclosure/2014/Mar/22", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/SHIRO-460", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-1351.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://seclists.org/fulldisclosure/2014/Mar/22", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/SHIRO-460", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-06-22 19:15
Modified
2024-11-21 04:59
Severity ?
Summary
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "90234325-DBD4-46E8-A1FE-FCF2A04AF93A", versionEndExcluding: "1.5.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.5.3, cuando se usa Apache Shiro con controladores dinámicos Spring, una petición especialmente diseñada puede causar una omisión de autenticación", }, ], id: "CVE-2020-11989", lastModified: "2024-11-21T04:59:03.807", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-06-22T19:15:10.653", references: [ { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe%40%3Cdev.geode.apache.org%3E", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-17 09:15
Modified
2024-11-21 06:26
Severity ?
Summary
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "D7F4D89B-0E8C-4E16-A002-FD7EBCF57844", versionEndExcluding: "1.8.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", matchCriteriaId: "55F091C7-0869-4FD6-AC73-DA697D990304", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", matchCriteriaId: "4D134C60-F9E2-46C2-8466-DB90AD98439E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.8.0, cuando es usado Apache Shiro con Spring Boot, una petición HTTP especialmente diseñada puede causar una omisión de autenticación. Los usuarios deben actualizar a Apache Shiro versión 1.8.0", }, ], id: "CVE-2021-41303", lastModified: "2024-11-21T06:26:00.263", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-17T09:15:09.267", references: [ { source: "security@apache.org", url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220609-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-06-29 00:15
Modified
2024-11-21 07:06
Severity ?
Summary
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh | Mailing List, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "4C15DF9C-06E0-4274-8A6C-FDEA2F18B777", versionEndExcluding: "1.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.", }, { lang: "es", value: "En Apache Shiro versiones anteriores a 1.9.1, Un RegexRequestMatcher puede ser configurado inapropiadamente para ser evitado en algunos contenedores de servlets. Las aplicaciones usando RegExPatternMatcher con \".\" en la expresión regular son posiblemente vulnerables a una omisión de autorización", }, ], id: "CVE-2022-32532", lastModified: "2024-11-21T07:06:34.577", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-29T00:15:10.247", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-03-25 16:15
Modified
2024-11-21 05:11
Severity ?
Summary
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | shiro | * | |
| debian | debian_linux | 8.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "E3E20335-3AB4-4B78-A749-60452E410CF9", versionEndExcluding: "1.5.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.5.2, cuando se usa Apache Shiro con controladores dinámicos Spring, una petición especialmente diseñada puede causar una omisión de autenticación.", }, ], id: "CVE-2020-1957", lastModified: "2024-11-21T05:11:44.130", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-03-25T16:15:19.353", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0%40%3Ccommits.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-02-03 17:15
Modified
2024-11-21 05:08
Severity ?
Summary
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "46186C0D-DE5D-4D2B-8E29-7260BF095460", versionEndExcluding: "1.7.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", }, { lang: "es", value: "Apache Shiro versiones anteriores a 1.7.1, cuando se usa Apache Shiro con Spring, una petición HTTP especialmente diseñada puede causar una omisión de autenticación", }, ], id: "CVE-2020-17523", lastModified: "2024-11-21T05:08:17.470", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 9, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 8.5, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-02-03T17:15:13.700", references: [ { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235%40%3Cgitbox.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0%40%3Cdev.shiro.apache.org%3E", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }