Sign In

CVE-2023-22602

ADVISORY - github

Summary

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher

EPSS Score: 0.0014 (0.349)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-436

Interpretation Conflict

ADVISORY - github

CWE-436

Interpretation Conflict

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-436

Interpretation Conflict

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-436

Interpretation Conflict

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2023-22602
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-436

CVSS SCORE

7.5high

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-7cxr-h8wm-fg4c
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-436

CVSS SCORE

7.5high

Debian

CREATED

UPDATED

ADVISORY IDCVE-2023-22602
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2023-22602
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5medium

GitLab

CREATED

UPDATED

ADVISORY ID

CVE-2023-22602

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-436CWE-937

CVSS SCORE

7.5high

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2023-22602
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-436

CVSS SCORE

7.5medium