Apache Shiro up to 1.7.0 Spring Support improper authentication

entryeditHistoryDiffjsonxmlCTI

A vulnerability classified as critical has been found in Apache Shiro up to 1.7.0. Affected is some unknown functionality of the component Spring Support. Upgrading to version 1.7.1 eliminates this vulnerability.

Field02/04/2021 10:14 AM02/23/2021 12:18 PM
cvss3_vuldb_eXX
cvss2_vuldb_basescore5.85.8
cvss2_vuldb_tempscore5.85.0
cvss3_vuldb_basescore6.36.3
cvss3_vuldb_tempscore6.36.0
cvss3_meta_basescore6.36.3
cvss3_meta_tempscore6.36.0
price_0day$5k-$25k$5k-$25k
vendorApacheApache
nameShiroShiro
version<=1.7.0<=1.7.0
componentSpring SupportSpring Support
cwe287 (weak authentication)287 (weak authentication)
risk22
cvss3_vuldb_acLL
cvss3_vuldb_prNN
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aLL
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
urlhttps://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3Ehttps://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E
nameUpgradeUpgrade
upgrade_version1.7.11.7.1
cveCVE-2020-17523CVE-2020-17523
date1612393200 (02/04/2021)1612393200 (02/04/2021)
cvss2_vuldb_acLL
cvss2_vuldb_auNN
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiPP
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_avAA
cvss2_vuldb_eNDND
cvss3_vuldb_avAA
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cve_assigned1597183200
cve_nvd_summaryApache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Do you know our Splunk app?

Download it now for free!