What is CVE-2023-22602?

CVE-2023-22602 is a vulnerability found in Apache Shiro that may allow a malicious user to bypass authentication.

How does CVE-2023-22602 work?

CVE-2023-22602 occurs when using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, where a specially crafted HTTP request can cause an authentication bypass due to different pattern-matching techniques used by Shiro and Spring Boot.

What is the severity of CVE-2023-22602?

CVE-2023-22602 has a severity rating of high (7 out of 10).

Which software versions are affected by CVE-2023-22602?

CVE-2023-22602 affects Apache Shiro versions up to but excluding 1.11.0, as well as Spring Boot versions 2.6.0 and above.

How can I fix CVE-2023-22602?

To fix CVE-2023-22602, upgrade to Apache Shiro version 1.11.0 or higher, and Spring Boot version below 2.6.0.

Vulnerability/
CVE-2023-22602

high

7.5

CWE

436

13/1/2023

14/1/2023

2/8/2024

CVE-2023-22602: Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

First published: Fri Jan 13 2023(Updated: )

A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Shiro	<1.11.0
Vmware Spring Boot	=2.6.0-\+
maven/org.apache.shiro:shiro-root	<1.11.0	1.11.0
redhat/shiro-core	<1.11.0	1.11.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2023-22602?
CVE-2023-22602 is a vulnerability found in Apache Shiro that may allow a malicious user to bypass authentication.
How does CVE-2023-22602 work?
CVE-2023-22602 occurs when using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, where a specially crafted HTTP request can cause an authentication bypass due to different pattern-matching techniques used by Shiro and Spring Boot.
What is the severity of CVE-2023-22602?
CVE-2023-22602 has a severity rating of high (7 out of 10).
Which software versions are affected by CVE-2023-22602?
CVE-2023-22602 affects Apache Shiro versions up to but excluding 1.11.0, as well as Spring Boot versions 2.6.0 and above.
How can I fix CVE-2023-22602?
To fix CVE-2023-22602, upgrade to Apache Shiro version 1.11.0 or higher, and Spring Boot version below 2.6.0.

collector/nvd-api
collector/github-advisory-latest
alias/GHSA-7cxr-h8wm-fg4c
alias/CVE-2023-22602
collector/github-advisory
collector/redhat-cve
collector/nvd-index
collector/nvd-cve
agent/type
agent/first-publish-date
agent/softwarecombine
agent/author
agent/references
agent/severity
agent/weakness
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/title
agent/event
agent/description
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/trending
vendor/apache
canonical/apache shiro
vendor/vmware
canonical/vmware spring boot
version/vmware spring boot/2.6.0-\+
package-manager/maven
package-manager/redhat

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.