Vulnerability Description
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Shiro | < 1.11.0 |
| Vmware | Spring Boot | 2.6.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhklMailing ListVendor Advisory
- https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhklMailing ListVendor Advisory
- https://security.netapp.com/advisory/ntap-20230302-0001/
FAQ
What is CVE-2023-22602?
CVE-2023-22602 is a vulnerability with a CVSS score of 7.5 (HIGH). When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot ...
How severe is CVE-2023-22602?
CVE-2023-22602 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-22602?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Shiro, Vmware Spring Boot.