CVE-2023-22602

Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.

The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`

Cuando se utiliza Apache Shiro anterior a 1.11.0 junto con Spring Boot 2.6+, una solicitud HTTP especialmente manipulada puede provocar una omisión de autenticación. La omisión de autenticación se produce cuando Shiro y Spring Boot utilizan diferentes técnicas de coincidencia de patrones. Tanto Shiro como Spring Boot < 2.6 por defecto utiliza la coincidencia de patrones de estilo Ant. Mitigación: actualice a Apache Shiro 1.11.0 o establezca el siguiente valor de configuración de Spring Boot: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`

A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.

*Credits: v3ged0ge and Adamytd

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-01-03 CVE Reserved
2023-01-14 CVE Published
2024-08-02 CVE Updated
2024-08-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-436: Interpretation Conflict

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl	2023-11-07
https://access.redhat.com/security/cve/CVE-2023-22602	2023-06-29
https://bugzilla.redhat.com/show_bug.cgi?id=2182198	2023-06-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"	Shiro Search vendor "Apache" for product "Shiro"	< 1.11.0 Search vendor "Apache" for product "Shiro" and version " < 1.11.0"	-	Affected	in	Vmware Search vendor "Vmware"	Spring Boot Search vendor "Vmware" for product "Spring Boot"	2.6.0 Search vendor "Vmware" for product "Spring Boot" and version "2.6.0"	\+	Affected