=====================================================================

                              CERT-Renater

                  Note d'Information No. 2023/VULN004

_____________________________________________________________________

DATE                : 17/01/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Shiro versions prior to
                                           1.11.0.

=====================================================================
https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
_____________________________________________________________________


CVE-2023-22602: Apache Shiro before 1.11.0, when used with Spring
Boot 2.6+, may allow authentication bypass through a specially
crafted HTTP request
Posted to announce@shiro.apache.org
Brian Demers -


Description:

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+,
a specially crafted HTTP request may cause an authentication bypass.

The authentication bypass occurs when Shiro and Spring Boot are
using different pattern-matching techniques. Both Shiro and
Spring Boot < 2.6 default to Ant style pattern matching.


Mitigation: Update to Apache Shiro 1.11.0, or set the following
Spring Boot configuration value:
  `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`


Credit:

v3ged0ge and Adamytd (finder)

References:

https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-22602



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================