When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
References
Link | Resource |
---|---|
https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl | Mailing List Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2023-01-14T09:33:39.775Z
Updated:
Reserved: 2023-01-03T23:52:40.911Z
Link: CVE-2023-22602
JSON object: View
NVD Information
Status : Modified
Published: 2023-01-14T10:15:09.140
Modified: 2023-11-07T04:07:06.053
Link: CVE-2023-22602
JSON object: View
Redhat Information
No data.
CWE