#VU26475 Improper Authentication in Apache Shiro
Vulnerability identifier: #VU26475
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Shiro
Universal components / Libraries /
Software for developers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an authentication bypass when using Apache Shiro with Spring dynamic controllers. A remote attacker can send a specially crafted request and bypass authentication process.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Shiro: 1.0.0 - 1.5.1
External links
http://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E
http://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E
http://github.com/apache/shiro/commit/c7c9c57d69a180dce679c5f26d4f6db64b250a7e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
