Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-22602
HistoryJan 14, 2023 - 12:00 a.m.

CVE-2023-22602

2023-01-1400:00:00
ubuntu.com
ubuntu.com
21
cve-2023-22602
apache shiro
spring boot
authentication bypass
http request
pattern matching
mitigation
update
configuration
ant_path_matcher
unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

72.7%

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a
specially crafted HTTP request may cause an authentication bypass. The
authentication bypass occurs when Shiro and Spring Boot are using different
pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to
Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or
set the following Spring Boot configuration value:
spring.mvc.pathmatch.matching-strategy = ant_path_matcher

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

72.7%