CVE-2023-22602

moderate-risk
Published 2023-01-14

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (2)

Spring Boot

Affected Vendors

Apache Vmware

References (3)

Mailing List https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
Mailing List https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
https://security.netapp.com/advisory/ntap-20230302-0001/
34
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 7/34 · Low