Vulnerabilities > Apache > Shiro > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-07-24 CVE-2023-34478 Path Traversal vulnerability in Apache Shiro
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
network
low complexity
apache CWE-22
critical
 9.8
9.8
2022-10-12 CVE-2022-40664 Improper Authentication vulnerability in Apache Shiro
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
network
low complexity
apache CWE-287
critical
 9.8
9.8
2022-06-29 CVE-2022-32532 Incorrect Authorization vulnerability in Apache Shiro
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers.
network
low complexity
apache CWE-863
critical
 9.8
9.8
2021-09-17 CVE-2021-41303 Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache oracle
critical
 9.8
9.8
2021-02-03 CVE-2020-17523 Improper Authentication vulnerability in Apache Shiro
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache CWE-287
critical
 9.8
9.8
2020-11-05 CVE-2020-17510 Improper Authentication vulnerability in multiple products
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache debian CWE-287
critical
 9.8
9.8
2020-06-22 CVE-2020-11989 Unspecified vulnerability in Apache Shiro
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
network
low complexity
apache
critical
 9.8
9.8
2020-03-25 CVE-2020-1957 Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
network
low complexity
apache debian
critical
 9.8
9.8
2016-06-07 CVE-2016-4437 Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
network
low complexity
apache redhat
critical
 9.8
9.8