On June 29, 2022, Apache Shiro issued a risk notice about the authentication bypass. The vulnerability number is CVE-2022-32532, the vulnerability level is a high risk. Apache Shiro has an authentication bypass vulnerability due to applications using RegExPatternMatcher with `.` in the regular expression. A remote attacker can send a specially crafted HTTP request to bypass the authentication process and gain unauthorized access to the application.
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
“Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass,” read the security bulletin. CVE-2022-32532 flaw was reported by security researcher 4ra1n. Also, the simple poc code is available on Github.
Also, Apache Shiro version 1.9.1 contains 6 fixes since the 1.9.0 release and is available for Download now.
Improvement
* [SHIRO-871] – ActiveDirectoryRealm – append suffix only if missing from username
* [SHIRO-872] – fix Reproducible Builds issues
* [SHIRO-883] – Add support for case insensitive regex path matching
Dependency upgrade
* [SHIRO-878] – Update Spring Dependencies to 5.2.20
* [SHIRO-882] – Upgrade to apache pom parent 26
* [SHIRO-881] – pom.xml in samples/web may lack dependencyfixes
Affected version
- Apache Shiro < 1.9.1
Unaffected version
- Apache Shiro 1.9.1
Solution
In this regard, we recommend that users upgrade Apache Shiro to the latest version in time.
