CVE-2022-32532 — Incorrect Authorization in Apache Shiro

CWE-863 — Incorrect Authorization CWE-285 — Improper Authorization8 documents7 sources

Severity

9.8CRITICALNVD

EPSS

80.9%

top 0.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Shiro Apache Software Foundation Apache Shiro

Timeline

PublishedJun 29

Latest updateOct 15

Description

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/shiro< 1.9.1

▶CVEListV5apache_software_foundation/apache_shiroBefore 1.9.1

🔴Vulnerability Details

OSV

Improper Authorization in Apache Shiro↗2022-06-30

▶

GHSA

Improper Authorization in Apache Shiro↗2022-06-30

▶

OSV

CVE-2022-32532: Apache Shiro before 1↗2022-06-29

▶

CVEList

Authentication Bypass Vulnerability↗2022-06-28

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: WebCenter Sites (Apache Shiro) — CVE-2022-32532↗2022-10-15

▶

Red Hat

shiro: authorization bypass due to possible misconfigured↗2022-06-28

▶

Debian

CVE-2022-32532: shiro - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypa...↗2022

▶