Vulnerability Details : CVE-2023-22602
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
Products affected by CVE-2023-22602
- cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.6.0:\+:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-22602
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-22602
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-22602
-
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Assigned by: security@apache.org (Primary)
References for CVE-2023-22602
-
https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
CVE-2023-22602: Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request-Apache Mail ArchivesMailing List;Vendor Advisory
Jump to