19 matches found
CVE-2023-34478
Apache Shiro prior to 1.12.0 or 2.0.0-alpha-3 is vulnerable to a path traversal issue that can enable an authentication bypass when used with APIs or web frameworks that route requests based on non-normalized paths. Affected versions include Shiro before 1.12.0 and 2.0.0-alpha-3, with the mitigat...
CVE-2016-4437
The CVE-2016-4437 issue affects Apache Shiro before 1.2.5 when no cipher key is configured for the rememberMe feature, enabling remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Public advisories describe an RCE condition with ...
CVE-2020-1957
CVE-2020-1957 is an authentication bypass in Apache Shiro prior to 1.5.2 when used with Spring dynamic controllers; a specially crafted request can bypass authentication. Credible connected sources (NVD entry and Nessus/OSS advisories) confirm the issue and reference additional context, including...
CVE-2019-12422
Apache Shiro before 1.4.2 is vulnerable when using the default remember-me configuration, due to a padding attack on cookies. The issue is described across multiple connected entries (e.g., Nessus/Apache Shiro padding attack reports) and affects the remember-me cookie handling, enabling potential...
CVE-2023-22602
The CVE-2023-22602 issue affects Apache Shiro before 1.11.0 when used with Spring Boot 2.6+ and can allow an authentication bypass via a specially crafted HTTP request. The bypass arises because Shiro and Spring Boot may use different Ant-style pattern matching, causing access controls to be impr...
CVE-2020-13933
Apache Shiro vulnerabilities CVE-2020-13933 affects Shiro
CVE-2020-17510
CVE-2020-17510 affects Apache Shiro software prior to version 1.7.0 when used with Spring. A specially crafted HTTP request can trigger an authentication bypass, allowing bypass of access restrictions. The vulnerability is categorized with a high to critical impact depending on the score, with ne...
CVE-2020-11989
CVE-2020-11989 affects Apache Shiro prior to 1.5.3 when used with Spring dynamic controllers; a specially crafted request may bypass authentication. The vulnerability context is confirmed across multiple sources (NVD entry and Nessus/OpenVAS entries). Remediation can be upgrading to Apache Shiro ...
CVE-2022-40664
CVE-2022-40664: Apache Shiro authentication bypass via RequestDispatcher forward/include. Described as a bypass vulnerability (Shiro before 1.10.0) with potential unauthorized access. The connected Broadcom/BSA entries reiterate the Shiro bypass detail; no explicit patch/version in these document...
CVE-2020-17523
CVE-2020-17523 : Apache Shiro before 1.7.1, when used with Spring, can be bypassed via a specially crafted HTTP request, leading to authentication bypass. The vulnerability stems from path handling and whitespace/tokenization behavior that may cause a request to bypass Shiro’s authentication chec...
CVE-2022-32532
CVE-2022-32532 affects Apache Shiro prior to 1.9.1, where the RegexRequestMatcher can be misconfigured to bypass authorization on certain servlet containers when RegExPatternMatcher uses a "." in the pattern. The impact is potential unauthorized access to protected resources. Remediation per publ...
CVE-2021-41303
Apache Shiro prior to 1.8.0 (when used with Spring Boot) is affected by an authentication bypass via specially crafted HTTP requests. The CVE-2021-41303 entry notes a high/critical impact (C:H/I:H/A:H in CVSS 3.1) and recommends upgrading to Apache Shiro 1.8.0 or later to remediate. Connected doc...
CVE-2023-46749
CVE-2023-46749 affects Apache Shiro prior to 1.13.0 or 2.0.0-alpha-4, where path traversal used with path rewriting can lead to authentication bypass. This is triggered when combined with path rewriting, enabling attackers to bypass login checks. Mitigation options from multiple sources include u...
CVE-2023-46750
CVE-2023-46750 is an Open Redirect vulnerability in Apache Shiro triggered when using form authentication. Public references in Nessus/Ubuntu advisories and IBM/NCSC entries confirm the issue affects Apache Shiro components and can enable phishing via URL redirection to untrusted sites. The mitig...
CVE-2026-43827
CVE-2026-43827 affects Apache Shiro. In affected versions (1.0–2.1.0 and 3.0.0-alpha-1), an existing session is not invalidated nor a new session with a new ID issued after login, enabling session fixation. Upgraded fixes are available in 2.1.1 and 3.0.0-alpha-2 or later; apply the patch to mitig...
CVE-2026-23903
Summary of CVE-2026-23903 (Apache Shiro): It is an Authentication Bypass by Alternate Name vulnerability affecting Apache Shiro versions before 2.0.7, triggered when static files are served from a case-insensitive filesystem (e.g., macOS defaults). In such cases, request filename casing can bypas...
CVE-2026-43828
CVE-2026-43828 affects Apache Shiro. The issue: Shiro-native session manager and Remember-Me manager set cookies (JSESSIONID and rememberMe) without the Secure attribute by default, leaking sensitive cookies over non-HTTPS channels. Affected versions: 1.0 to 2.1.0, and 3.0.0-alpha-1. Remediation:...
CVE-2026-49268
The CVE-2026-49268 issue affects Apache Shiro’s DefaultLdapRealm where user input is concatenated into the LDAP DN template without escaping RFC 2253 characters. This LDAP DN injection can alter the bind DN, potentially bypassing authentication or impersonating other users. Technical details conf...
CVE-2026-23901
CVE-2026-23901 describes an observable timing discrepancy vulnerability in Apache Shiro affecting 1.* and 2.* before 2.0.7. The issue allows a local brute-force-style timing difference to reveal whether a username exists or a password is incorrect, enabling username enumeration. The most likely a...