Apache Shiro on Wednesday issued a risk notice about the authentication bypass. The vulnerability number is CVE-2022-40664, and the vulnerability level is a high risk. Apache Shiro could allow a remote attacker to bypass security restrictions, which occurred when forwarding or including via RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass the authentication process and gain unauthorized access to the application.
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
“Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.” read the security bulletin. “As of 1.10.0, Shiro may filter a request multiple times, e.g. when including or forwarding requests. This behavior can be reverted by setting the following property: `shiro.filterOncePerRequest=true`”. CVE-2022-40664 flaw was reported by security researcher Y4tacker.
Also, Apache Shiro version 1.10.0 contains 7 fixes since the 1.9.1 release and is available for Download now.
Affected version
- Apache Shiro <= 1.9.1
Unaffected version
- Apache Shiro 1.10.0
Solution
In this regard, we recommend that users upgrade Apache Shiro to the latest version in time.
