23 matches found
CVE-2023-34478
Apache Shiro prior to 1.12.0 or 2.0.0-alpha-3 is vulnerable to a path traversal issue that can enable an authentication bypass when used with APIs or web frameworks that route requests based on non-normalized paths. Affected versions include Shiro before 1.12.0 and 2.0.0-alpha-3, with the mitigat...
CVE-2016-4437
The CVE-2016-4437 issue affects Apache Shiro before 1.2.5 when no cipher key is configured for the rememberMe feature, enabling remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Public advisories describe an RCE condition with ...
CVE-2020-1957
CVE-2020-1957 is an authentication bypass in Apache Shiro prior to 1.5.2 when used with Spring dynamic controllers; a specially crafted request can bypass authentication. Credible connected sources (NVD entry and Nessus/OSS advisories) confirm the issue and reference additional context, including...
CVE-2019-12422
Apache Shiro before 1.4.2 is vulnerable when using the default remember-me configuration, due to a padding attack on cookies. The issue is described across multiple connected entries (e.g., Nessus/Apache Shiro padding attack reports) and affects the remember-me cookie handling, enabling potential...
CVE-2023-22602
The CVE-2023-22602 issue affects Apache Shiro before 1.11.0 when used with Spring Boot 2.6+ and can allow an authentication bypass via a specially crafted HTTP request. The bypass arises because Shiro and Spring Boot may use different Ant-style pattern matching, causing access controls to be impr...
CVE-2020-13933
Apache Shiro vulnerabilities CVE-2020-13933 affects Shiro
CVE-2020-17510
CVE-2020-17510 affects Apache Shiro software prior to version 1.7.0 when used with Spring. A specially crafted HTTP request can trigger an authentication bypass, allowing bypass of access restrictions. The vulnerability is categorized with a high to critical impact depending on the score, with ne...
CVE-2020-11989
CVE-2020-11989 affects Apache Shiro prior to 1.5.3 when used with Spring dynamic controllers; a specially crafted request may bypass authentication. The vulnerability context is confirmed across multiple sources (NVD entry and Nessus/OpenVAS entries). Remediation can be upgrading to Apache Shiro ...
CVE-2022-40664
CVE-2022-40664: Apache Shiro authentication bypass via RequestDispatcher forward/include. Described as a bypass vulnerability (Shiro before 1.10.0) with potential unauthorized access. The connected Broadcom/BSA entries reiterate the Shiro bypass detail; no explicit patch/version in these document...
CVE-2020-17523
CVE-2020-17523 : Apache Shiro before 1.7.1, when used with Spring, can be bypassed via a specially crafted HTTP request, leading to authentication bypass. The vulnerability stems from path handling and whitespace/tokenization behavior that may cause a request to bypass Shiro’s authentication chec...
CVE-2022-32532
CVE-2022-32532 affects Apache Shiro prior to 1.9.1, where the RegexRequestMatcher can be misconfigured to bypass authorization on certain servlet containers when RegExPatternMatcher uses a "." in the pattern. The impact is potential unauthorized access to protected resources. Remediation per publ...
CVE-2021-41303
Apache Shiro prior to 1.8.0 (when used with Spring Boot) is affected by an authentication bypass via specially crafted HTTP requests. The CVE-2021-41303 entry notes a high/critical impact (C:H/I:H/A:H in CVSS 3.1) and recommends upgrading to Apache Shiro 1.8.0 or later to remediate. Connected doc...
CVE-2023-46749
CVE-2023-46749 affects Apache Shiro prior to 1.13.0 or 2.0.0-alpha-4, where path traversal used with path rewriting can lead to authentication bypass. This is triggered when combined with path rewriting, enabling attackers to bypass login checks. Mitigation options from multiple sources include u...
CVE-2010-3863
CVE-2010-3863 affects Apache Shiro (before 1.1.0) and JSecurity 0.9.x. The root cause is failure to canonicalize URI paths before comparing them to entries in the shiro.ini filter, allowing a remote attacker to bypass access restrictions with crafted requests such as GET /./account/index.jsp. The...
CVE-2016-6802
CVE-2016-6802 affects Apache Shiro prior to 1.3.2. The issue allows bypass of intended servlet filters by leveraging a non-root servlet context path, enabling an attacker to gain access. The risk and exploit details are limited in the provided documents; the core vulnerability is a path/filters b...
CVE-2014-0074
CVE-2014-0074 affects Apache Shiro 1.x before 1.2.3 when an LDAP server allows unauthenticated binds, enabling bypass of authentication. The Red Hat advisory RHSA-2014:1369 notes this issue is addressed in Fuse ESB Enterprise/MQ Enterprise 7.1.0 with Rollup Patch 1 (7.1.0 R1 P6). The vulnerabilit...
CVE-2023-46750
CVE-2023-46750 is an Open Redirect vulnerability in Apache Shiro triggered when using form authentication. Public references in Nessus/Ubuntu advisories and IBM/NCSC entries confirm the issue affects Apache Shiro components and can enable phishing via URL redirection to untrusted sites. The mitig...
CVE-2026-43827
CVE-2026-43827 affects Apache Shiro. In affected versions (1.0–2.1.0 and 3.0.0-alpha-1), an existing session is not invalidated nor a new session with a new ID issued after login, enabling session fixation. Upgraded fixes are available in 2.1.1 and 3.0.0-alpha-2 or later; apply the patch to mitig...
CVE-2026-23903
Summary of CVE-2026-23903 (Apache Shiro): It is an Authentication Bypass by Alternate Name vulnerability affecting Apache Shiro versions before 2.0.7, triggered when static files are served from a case-insensitive filesystem (e.g., macOS defaults). In such cases, request filename casing can bypas...
CVE-2026-44598
Apache Shiro Jakarta EE module contains an open redirect and SSRF vulnerability (CVE-2026-44598) that affects Shiro 2.0-alpha through 2.1.0 and 3.0.0-alpha-1 when using the shiro-jakarta-ee integration. After login, the shiroSavedRequest cookie can be forged and used to redirect the server to an ...
CVE-2026-43828
CVE-2026-43828 affects Apache Shiro. The issue: Shiro-native session manager and Remember-Me manager set cookies (JSESSIONID and rememberMe) without the Secure attribute by default, leaking sensitive cookies over non-HTTPS channels. Affected versions: 1.0 to 2.1.0, and 3.0.0-alpha-1. Remediation:...
CVE-2026-48589
Apache Shiro (Jakarta EE module) is affected by CVE-2026-48589 due to insufficient validation of the HTTP Referer header, enabling an attacker to influence the post-login redirect target. Affected are Shiro 2.0-alpha through 2.2.0, and 3.0.0-alpha-1, specifically when using the shiro-jakarta-ee i...
CVE-2026-23901
CVE-2026-23901 describes an observable timing discrepancy vulnerability in Apache Shiro affecting 1.* and 2.* before 2.0.7. The issue allows a local brute-force-style timing difference to reveal whether a username exists or a password is incorrect, enabling username enumeration. The most likely a...