Lucene search
K

19 matches found

CVE
CVE
added 2023/07/24 6:24 p.m.2598 views

CVE-2023-34478

Apache Shiro prior to 1.12.0 or 2.0.0-alpha-3 is vulnerable to a path traversal issue that can enable an authentication bypass when used with APIs or web frameworks that route requests based on non-normalized paths. Affected versions include Shiro before 1.12.0 and 2.0.0-alpha-3, with the mitigat...

9.8CVSS9.5AI score0.01533EPSS
CVE
CVE
added 2016/06/07 2:0 p.m.1244 views

CVE-2016-4437

The CVE-2016-4437 issue affects Apache Shiro before 1.2.5 when no cipher key is configured for the rememberMe feature, enabling remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Public advisories describe an RCE condition with ...

9.8CVSS8.3AI score0.93143EPSS
In wildWeb
CVE
CVE
added 2020/03/25 3:24 p.m.284 views

CVE-2020-1957

CVE-2020-1957 is an authentication bypass in Apache Shiro prior to 1.5.2 when used with Spring dynamic controllers; a specially crafted request can bypass authentication. Credible connected sources (NVD entry and Nessus/OSS advisories) confirm the issue and reference additional context, including...

9.8CVSS9.3AI score0.24163EPSS
CVE
CVE
added 2019/11/18 10:4 p.m.201 views

CVE-2019-12422

Apache Shiro before 1.4.2 is vulnerable when using the default remember-me configuration, due to a padding attack on cookies. The issue is described across multiple connected entries (e.g., Nessus/Apache Shiro padding attack reports) and affects the remember-me cookie handling, enabling potential...

7.5CVSS7.3AI score0.09101EPSS
CVE
CVE
added 2023/01/14 9:33 a.m.201 views

CVE-2023-22602

The CVE-2023-22602 issue affects Apache Shiro before 1.11.0 when used with Spring Boot 2.6+ and can allow an authentication bypass via a specially crafted HTTP request. The bypass arises because Shiro and Spring Boot may use different Ant-style pattern matching, causing access controls to be impr...

7.5CVSS7.7AI score0.01553EPSS
CVE
CVE
added 2020/08/17 8:19 p.m.169 views

CVE-2020-13933

Apache Shiro vulnerabilities CVE-2020-13933 affects Shiro

7.5CVSS7.5AI score0.48019EPSS
Web
CVE
CVE
added 2020/11/05 8:17 p.m.158 views

CVE-2020-17510

CVE-2020-17510 affects Apache Shiro software prior to version 1.7.0 when used with Spring. A specially crafted HTTP request can trigger an authentication bypass, allowing bypass of access restrictions. The vulnerability is categorized with a high to critical impact depending on the score, with ne...

9.8CVSS9.3AI score0.09056EPSS
CVE
CVE
added 2020/06/22 6:6 p.m.156 views

CVE-2020-11989

CVE-2020-11989 affects Apache Shiro prior to 1.5.3 when used with Spring dynamic controllers; a specially crafted request may bypass authentication. The vulnerability context is confirmed across multiple sources (NVD entry and Nessus/OpenVAS entries). Remediation can be upgrading to Apache Shiro ...

9.8CVSS9.3AI score0.24436EPSS
CVE
CVE
added 2022/10/12 12:0 a.m.143 views

CVE-2022-40664

CVE-2022-40664: Apache Shiro authentication bypass via RequestDispatcher forward/include. Described as a bypass vulnerability (Shiro before 1.10.0) with potential unauthorized access. The connected Broadcom/BSA entries reiterate the Shiro bypass detail; no explicit patch/version in these document...

9.8CVSS9.4AI score0.0221EPSS
CVE
CVE
added 2021/02/03 4:55 p.m.138 views

CVE-2020-17523

CVE-2020-17523 : Apache Shiro before 1.7.1, when used with Spring, can be bypassed via a specially crafted HTTP request, leading to authentication bypass. The vulnerability stems from path handling and whitespace/tokenization behavior that may cause a request to bypass Shiro’s authentication chec...

9.8CVSS9.4AI score0.85911EPSS
CVE
CVE
added 2022/06/28 11:20 p.m.137 views

CVE-2022-32532

CVE-2022-32532 affects Apache Shiro prior to 1.9.1, where the RegexRequestMatcher can be misconfigured to bypass authorization on certain servlet containers when RegExPatternMatcher uses a "." in the pattern. The impact is potential unauthorized access to protected resources. Remediation per publ...

9.8CVSS9.4AI score0.25431EPSS
CVE
CVE
added 2021/09/17 8:20 a.m.130 views

CVE-2021-41303

Apache Shiro prior to 1.8.0 (when used with Spring Boot) is affected by an authentication bypass via specially crafted HTTP requests. The CVE-2021-41303 entry notes a high/critical impact (C:H/I:H/A:H in CVSS 3.1) and recommends upgrading to Apache Shiro 1.8.0 or later to remediate. Connected doc...

9.8CVSS9.4AI score0.7557EPSS
CVE
CVE
added 2024/01/15 9:57 a.m.100 views

CVE-2023-46749

CVE-2023-46749 affects Apache Shiro prior to 1.13.0 or 2.0.0-alpha-4, where path traversal used with path rewriting can lead to authentication bypass. This is triggered when combined with path rewriting, enabling attackers to bypass login checks. Mitigation options from multiple sources include u...

6.5CVSS6.5AI score0.01177EPSS
CVE
CVE
added 2023/12/14 8:15 a.m.62 views

CVE-2023-46750

CVE-2023-46750 is an Open Redirect vulnerability in Apache Shiro triggered when using form authentication. Public references in Nessus/Ubuntu advisories and IBM/NCSC entries confirm the issue affects Apache Shiro components and can enable phishing via URL redirection to untrusted sites. The mitig...

6.1CVSS6.6AI score0.01496EPSS
CVE
CVE
added 2026/05/25 8:19 p.m.40 views

CVE-2026-43827

CVE-2026-43827 affects Apache Shiro. In affected versions (1.0–2.1.0 and 3.0.0-alpha-1), an existing session is not invalidated nor a new session with a new ID issued after login, enabling session fixation. Upgraded fixes are available in 2.1.1 and 3.0.0-alpha-2 or later; apply the patch to mitig...

6.5CVSS5.8AI score0.00412EPSS
CVE
CVE
added 2026/02/09 9:26 a.m.39 views

CVE-2026-23903

Summary of CVE-2026-23903 (Apache Shiro): It is an Authentication Bypass by Alternate Name vulnerability affecting Apache Shiro versions before 2.0.7, triggered when static files are served from a case-insensitive filesystem (e.g., macOS defaults). In such cases, request filename casing can bypas...

5.3CVSS5.5AI score0.00363EPSS
CVE
CVE
added 2026/05/25 8:19 p.m.39 views

CVE-2026-43828

CVE-2026-43828 affects Apache Shiro. The issue: Shiro-native session manager and Remember-Me manager set cookies (JSESSIONID and rememberMe) without the Secure attribute by default, leaking sensitive cookies over non-HTTPS channels. Affected versions: 1.0 to 2.1.0, and 3.0.0-alpha-1. Remediation:...

6.5CVSS5.8AI score0.00272EPSS
CVE
CVE
added 2026/06/17 1:7 p.m.25 views

CVE-2026-49268

The CVE-2026-49268 issue affects Apache Shiro’s DefaultLdapRealm where user input is concatenated into the LDAP DN template without escaping RFC 2253 characters. This LDAP DN injection can alter the bind DN, potentially bypassing authentication or impersonating other users. Technical details conf...

9.1CVSS5.4AI score0.00494EPSS
CVE
CVE
added 2026/02/10 9:25 a.m.21 views

CVE-2026-23901

CVE-2026-23901 describes an observable timing discrepancy vulnerability in Apache Shiro affecting 1.* and 2.* before 2.0.7. The issue allows a local brute-force-style timing difference to reveal whether a username exists or a password is incorrect, enabling username enumeration. The most likely a...

2.5CVSS5.6AI score0.00219EPSS