CVE-2023-22602: Apache Shiro Authentication Bypass Vulnerability

Apache Shiro last week issued a risk notice about the authentication bypass vulnerability. Tracked as CVE-2023-22602, Apache Shiro could allow a remote attacker to bypass security restrictions, caused by a flaw when Shiro and Spring Boot are using different pattern-matching techniques. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to bypass access restrictions.

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

“When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching,” read the security bulletin. Apache has been credited to two researchers v3ged0ge and Adamytd for finding this flaw.

In this regard, we recommend that users upgrade Apache Shiro to the latest version (1.11.0) in time to fix the CVE-2023-22602 flaw. If you are unable to update Shiro, you can migrate the bug by setting the following Spring Boot configuration value:

`spring.mvc.pathmatch.matching-strategy = ant_path_matcher`