Apache Shiro
Known Exploited Apache Shiro Vulnerabilities
The following Apache Shiro vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apache Shiro 1.2.4 Cookie RememberME Deserial Remote Code Execution Vulnerability | Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. CVE-2016-4437 | November 3, 2021 |
By the Year
In 2024 there have been 1 vulnerability in Apache Shiro with an average score of 6.5 out of ten. Last year Shiro had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Shiro in 2024 could surpass last years number. Last year, the average CVE base score was greater by 1.45
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 1 | 6.50 |
| 2023 | 2 | 7.95 |
| 2022 | 2 | 9.80 |
| 2021 | 2 | 9.80 |
| 2020 | 4 | 9.23 |
| 2019 | 1 | 7.50 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Shiro vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Shiro Security Vulnerabilities
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack
CVE-2023-46749
6.5 - Medium
- January 15, 2024
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
Directory traversal
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro
CVE-2023-46750
6.1 - Medium
- December 14, 2023
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
Open Redirect
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack
CVE-2023-34478
9.8 - Critical
- July 24, 2023
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Directory traversal
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including
CVE-2022-40664
9.8 - Critical
- October 12, 2022
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
authentification
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers
CVE-2022-32532
9.8 - Critical
- June 29, 2022
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
AuthZ
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
CVE-2021-41303
9.8 - Critical
- September 17, 2021
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Apache Shiro before 1.7.1
CVE-2020-17523
9.8 - Critical
- February 03, 2021
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
authentification
Apache Shiro before 1.7.0
CVE-2020-17510
9.8 - Critical
- November 05, 2020
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
authentification
Apache Shiro before 1.6.0
CVE-2020-13933
7.5 - High
- August 17, 2020
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Apache Shiro before 1.5.3
CVE-2020-11989
9.8 - Critical
- June 22, 2020
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Apache Shiro before 1.5.2
CVE-2020-1957
9.8 - Critical
- March 25, 2020
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Apache Shiro before 1.4.2
CVE-2019-12422
7.5 - High
- November 18, 2019
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Shiro or by Apache? Click the Watch button to subscribe.
