CVSS: 9.8EPSS: 71%CPEs: 1EXPL: 1CVE-2020-11989 – shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass
https://notcve.org/view.php?id=CVE-2020-11989
22 Jun 2020 — Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Apache Shiro versiones anteriores a 1.5.3, cuando se usa Apache Shiro con controladores dinámicos Spring, una petición especialmente diseñada puede causar una omisión de autenticación A flaw was found in Apache Shiro in versions prior to 1.5.3. When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass... • https://github.com/HYWZ36/HYWZ36-CVE-2020-11989-code • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 9.8EPSS: 85%CPEs: 2EXPL: 0CVE-2020-1957
https://notcve.org/view.php?id=CVE-2020-1957
25 Mar 2020 — Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Apache Shiro versiones anteriores a 1.5.2, cuando se usa Apache Shiro con controladores dinámicos Spring, una petición especialmente diseñada puede causar una omisión de autenticación. • https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E •
CVSS: 7.5EPSS: 66%CPEs: 1EXPL: 0CVE-2019-12422 – shiro: Cookie padding oracle vulnerability with default configuration
https://notcve.org/view.php?id=CVE-2019-12422
18 Nov 2019 — Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. Apache Shiro versiones anteriores a 1.4.2, cuando se usa la configuración predeterminada "remember me", las cookies pueden ser susceptibles a un ataque de padding. This release of Red Hat Fuse 7.6.0 serves as a replacement for Red Hat Fuse 7.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed ... • https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 4%CPEs: 1EXPL: 0CVE-2016-6802 – Ubuntu Security Notice USN-7147-1
https://notcve.org/view.php?id=CVE-2016-6802
13 Sep 2016 — Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. Apache Shiro en versiones anteriores a 1.3.2 permite atacantes eludir los filtros de servlet destinados y obtener acceso aprovechando el uso una de ruta de contexto servlet sin ser root . It was discovered that Apache Shiro incorrectly handled path traversal when used with other web frameworks or path rewriting. An attacker could possibly use this issue to obtai... • http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 94%CPEs: 4EXPL: 8CVE-2016-4437 – Apache Shiro Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-4437
03 Jun 2016 — Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Apache Shiro en versiones anteriores a 1.2.5, cuando una clave de cifrado no ha sido configurada por la característica "remember me", permite a atacantes remotos ejecutar código arbitrario o eludir las restricciones destinadas al acceso a través de un parámetro request no especificado... • https://packetstorm.news/files/id/157497 • CWE-287: Improper Authentication CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2014-0074 – Shiro: successful authentication without specifying user name or password
https://notcve.org/view.php?id=CVE-2014-0074
04 Mar 2014 — Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password. Apache Shiro 1.x anterior a 1.2.3, cuando se utiliza un servidor LDAP con bind no autenticado habilitado, permite a atacantes remotos evadir la autenticación a través de (1) un nombre de usuario vació o (2) una contraseña vacía. It was discovered that Apache Shiro authenticated users without specifying a user name or a passwor... • http://rhn.redhat.com/errata/RHSA-2014-1351.html • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 11%CPEs: 2EXPL: 3CVE-2010-3863 – Apache Shiro - Directory Traversal
https://notcve.org/view.php?id=CVE-2010-3863
05 Nov 2010 — Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI. Apache Shiro anterior a v1.1.0 y JSecurity v0.9.x, no canoniza rutas URI antes de compararlas como entradas en el archivo shiro.ini, lo cual permite a atacantes remotos evitar las restricciones de acceso mediante una solicitud manipula... • https://www.exploit-db.com/exploits/34952 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •