Vulnerabilities > Apache > Shiro

DATE CVE VULNERABILITY TITLE RISK
2024-01-15 CVE-2023-46749 Unspecified vulnerability in Apache Shiro
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
network
low complexity
apache
6.5
2023-12-14 CVE-2023-46750 Unspecified vulnerability in Apache Shiro
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
network
low complexity
apache
6.1
2023-07-24 CVE-2023-34478 Unspecified vulnerability in Apache Shiro
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
network
low complexity
apache
critical
9.8
2023-01-14 CVE-2023-22602 When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques.
network
low complexity
apache vmware
7.5
2022-10-12 CVE-2022-40664 Unspecified vulnerability in Apache Shiro
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
network
low complexity
apache
critical
9.8
2022-06-29 CVE-2022-32532 Incorrect Authorization vulnerability in Apache Shiro
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers.
network
low complexity
apache CWE-863
critical
9.8
2021-09-17 CVE-2021-41303 Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache oracle
critical
9.8
2021-02-03 CVE-2020-17523 Improper Authentication vulnerability in Apache Shiro
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache CWE-287
critical
9.8
2020-11-05 CVE-2020-17510 Improper Authentication vulnerability in multiple products
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache debian CWE-287
critical
9.8
2020-08-17 CVE-2020-13933 Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache debian
7.5