Authentication Bypass Affecting org.apache.shiro:shiro-web Open this link in a new tab package, versions [,1.5.2)

Attack Complexity

High
User Interaction

Required
Confidentiality

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGAPACHESHIRO-608688
published

25 Mar 2020
disclosed

25 Mar 2020
credit

Unknown

Report a new vulnerability Found a mistake?

Introduced: 25 Mar 2020

CVE-2020-1957 Open this link in a new tab CWE-305 Open this link in a new tab

How to fix?

Upgrade org.apache.shiro:shiro-web to version 1.5.2 or higher.

Overview

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass when using Apache Shiro with Spring dynamic controllers. Then by creating a specially crafted request, it may cause an authentication bypass.

Authentication Bypass Affecting org.apache.shiro:shiro-web Open this link in a new tab package, versions [,1.5.2)

Attack Complexity

User Interaction

Confidentiality

snyk-id

published

disclosed

credit

Introduced: 25 Mar 2020

How to fix?

Overview

References