CVE-2020-1957 — Improper Authentication in Apache Shiro

CWE-287 — Improper Authentication12 documents9 sources

Severity

9.8CRITICALNVD

EPSS

88.6%

top 0.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Shiro Apache Software Foundation Apache Shiro Debian Linux

Timeline

PublishedMar 25

Latest updateMay 7

Description

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/shiro< 1.5.2

▶Debianapache/shiro< 1.3.2-4+deb11u1+2

▶CVEListV5apache_software_foundation/apache_shiroApache Shiro to 1.5.2

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

Improper Authentication in Apache Shiro↗2021-05-07

▶

OSV

Improper Authentication in Apache Shiro↗2021-05-07

▶

CVEList

CVE-2020-1957: Apache Shiro before 1↗2020-03-25

▶

OSV

CVE-2020-1957: Apache Shiro before 1↗2020-03-25

▶

VulnCheck

Apache Shiro with Spring Dynamic Controllers Authentication Bypass↗2020

▶

📋Vendor Advisories

Ubuntu

Apache Shiro vulnerabilities↗2021-02-18

▶

Red Hat

shiro: Spring dynamic controllers, a specially crafted request may cause an authentication bypass↗2020-03-25

▶

Debian

CVE-2020-1957: shiro - Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controlle...↗2020

▶

💬Community

Bugzilla

CVE-2020-2230 jenkins: stored XSS vulnerability in project naming strategy↗2020-09-03

▶

Bugzilla

CVE-2020-1957 shiro: Spring dynamic controllers, a specially crafted request may cause an authentication bypass↗2020-04-29

▶

Bugzilla

CVE-2020-1957 shiro: Spring dynamic controllers, a specially crafted request may cause an authentication bypass [fedora-all]↗2020-04-29

▶