Apache Shiro
Known Exploited Apache Shiro Vulnerabilities
The following Apache Shiro vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apache Shiro 1.2.4 Cookie RememberME Deserial Remote Code Execution Vulnerability | Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. CVE-2016-4437 | November 3, 2021 |
By the Year
In 2023 there have been 0 vulnerabilities in Apache Shiro . Last year Shiro had 2 security vulnerabilities published. Right now, Shiro is on track to have less security vulnerabilities in 2023 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 0 | 0.00 |
| 2022 | 2 | 9.80 |
| 2021 | 2 | 9.80 |
| 2020 | 4 | 9.23 |
| 2019 | 1 | 7.50 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Shiro vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Shiro Security Vulnerabilities
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including
CVE-2022-40664
9.8 - Critical
- October 12, 2022
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
authentification
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers
CVE-2022-32532
9.8 - Critical
- June 29, 2022
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
AuthZ
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
CVE-2021-41303
9.8 - Critical
- September 17, 2021
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Apache Shiro before 1.7.1
CVE-2020-17523
9.8 - Critical
- February 03, 2021
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
authentification
Apache Shiro before 1.7.0
CVE-2020-17510
9.8 - Critical
- November 05, 2020
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
authentification
Apache Shiro before 1.6.0
CVE-2020-13933
7.5 - High
- August 17, 2020
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Apache Shiro before 1.5.3
CVE-2020-11989
9.8 - Critical
- June 22, 2020
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Apache Shiro before 1.5.2
CVE-2020-1957
9.8 - Critical
- March 25, 2020
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Apache Shiro before 1.4.2
CVE-2019-12422
7.5 - High
- November 18, 2019
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Shiro or by Apache? Click the Watch button to subscribe.
