Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:43824
HistoryOct 13, 2023 - 6:43 p.m.

Authentication Bypass

2023-10-1318:43:28
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
11
vulnerable
pattern matching
spring-boot
apache shiro
authentication bypass
workaround
spring boot configuration

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

72.7%

org.apache.shiro: shiro-spring is vulnerable to Authentication Bypass. The vulnerability is due to different pattern matching techniques between Spring-Boot 2.6+ and Apache Shiro. This can result in an authentication bypass. As a workaround, set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher.

Affected configurations

Vulners
Node
apacheshiroRange1.10.1
VendorProductVersionCPE
apacheshiro*cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

72.7%