CVE-2023-22602
N/A
N/A
Summary
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro | 0 < 1.11.0 | unaffected |
Weaknesses
- CWE-436: CWE-436 Interpretation Conflict
ADP Enrichment
CVE Program Container
Additional References
- https://security.netapp.com/advisory/ntap-20230302-0001/
- https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.