org.apache.shiro:shiro-core 1.0.0-incubating vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shiro:shiro-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Authentication Bypass org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass when forwarding or including requests via the `RequestDispatcher` interface. Exploiting this vulnerability is possible due to improper filtering of the requests. How to fix Authentication Bypass? Upgrade `org.apache.shiro:shiro-core` to version 1.10.0 or higher.	[,1.10.0)
H Authorization Bypass org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authorization Bypass when `RegExPatternMatcher` in a servlet container is supplied with a regular expression containing `.`. How to fix Authorization Bypass? Upgrade `org.apache.shiro:shiro-core` to version 1.9.1 or higher.	[,1.9.1)
H Authentication Bypass org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass. When using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. How to fix Authentication Bypass? Upgrade `org.apache.shiro:shiro-core` to version 1.8.0 or higher.	[,1.8.0)
H Arbitrary Code Execution `org.apache.shiro:shiro-core` Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.	[,1.2.5)
H Authentication Bypass `org.apache.shiro:shiro-core` Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.	[1,1.2.3)

Vulnerability

Vulnerable Version

Authentication Bypass

org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass when forwarding or including requests via the RequestDispatcher interface. Exploiting this vulnerability is possible due to improper filtering of the requests.

How to fix Authentication Bypass?

Upgrade org.apache.shiro:shiro-core to version 1.10.0 or higher.

[,1.10.0)

Authorization Bypass

org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authorization Bypass when RegExPatternMatcher in a servlet container is supplied with a regular expression containing ..

How to fix Authorization Bypass?

Upgrade org.apache.shiro:shiro-core to version 1.9.1 or higher.

[,1.9.1)

Authentication Bypass

org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass. When using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.

How to fix Authentication Bypass?

Upgrade org.apache.shiro:shiro-core to version 1.8.0 or higher.

[,1.8.0)

Arbitrary Code Execution

org.apache.shiro:shiro-core Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

[,1.2.5)

Authentication Bypass

org.apache.shiro:shiro-core Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

[1,1.2.3)

org.apache.shiro:shiro-core@1.0.0-incubating vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?