Shiro Apache Shiro

Do you want an email whenever new security vulnerabilities are reported in Apache Shiro?

Known Exploited Apache Shiro Vulnerabilities

The following Apache Shiro vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Apache Shiro 1.2.4 Cookie RememberME Deserial Remote Code Execution Vulnerability Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. CVE-2016-4437 November 3, 2021

By the Year

In 2023 there have been 0 vulnerabilities in Apache Shiro . Last year Shiro had 2 security vulnerabilities published. Right now, Shiro is on track to have less security vulnerabilities in 2023 than it did last year.

Year Vulnerabilities Average Score
2023 0 0.00
2022 2 9.80
2021 2 9.80
2020 4 9.23
2019 1 7.50
2018 0 0.00

It may take a day or so for new Shiro vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Shiro Security Vulnerabilities

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including

CVE-2022-40664 9.8 - Critical - October 12, 2022

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

authentification

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers

CVE-2022-32532 9.8 - Critical - June 29, 2022

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

AuthZ

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass

CVE-2021-41303 9.8 - Critical - September 17, 2021

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Apache Shiro before 1.7.1

CVE-2020-17523 9.8 - Critical - February 03, 2021

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

authentification

Apache Shiro before 1.7.0

CVE-2020-17510 9.8 - Critical - November 05, 2020

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

authentification

Apache Shiro before 1.6.0

CVE-2020-13933 7.5 - High - August 17, 2020

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

Apache Shiro before 1.5.3

CVE-2020-11989 9.8 - Critical - June 22, 2020

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Apache Shiro before 1.5.2

CVE-2020-1957 9.8 - Critical - March 25, 2020

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Apache Shiro before 1.4.2

CVE-2019-12422 7.5 - High - November 18, 2019

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Shiro or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Shiro
Product

subscribe