CVE-2021-41303

CWE-287 — Improper Authentication8 documents7 sources

Severity

9.8CRITICAL

EPSS

46.8%

top 2.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Shiro Apache Shiro Oracle Financial Services Crime AND Compliance Management Studio

Timeline

PublishedSep 17

Latest updateJul 15

Description

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDapache/shiro< 1.8.0

▶Mavenorg.apache.shiro:shiro-core< 1.8.0

▶CVEListV5apache_software_foundation/apache_shiroApache Shiro — 1.8.0

▶NVDoracle/financial_services_crime_and_compliance_management_studio8.0.8.2.0, 8.0.8.3.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass↗2021-09-20

▶

OSV

Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass↗2021-09-20

▶

CVEList

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass↗2021-09-17

▶

OSV

CVE-2021-41303: Apache Shiro before 1↗2021-09-17

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Studio (Apache Shiro) — CVE-2021-41303↗2022-07-15

▶

Red Hat

shiro: specially crafted HTTP request may cause an authentication bypass↗2021-09-16

▶

Debian

CVE-2021-41303: shiro - Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially...↗2021

▶