Improper Authentication in Apache Shiro



Published: 2020-03-31
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-1957
CWE-ID CWE-287
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Apache Shiro
Universal components / Libraries / Software for developers

Vendor Apache Foundation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper Authentication

EUVDB-ID: #VU26475

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-1957

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an authentication bypass when using Apache Shiro with Spring dynamic controllers. A remote attacker can send a specially crafted request and bypass authentication process.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Shiro: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1

CPE2.3 External links

http://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E
http://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E
http://github.com/apache/shiro/commit/c7c9c57d69a180dce679c5f26d4f6db64b250a7e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###