SB2020033112 - Improper Authentication in Apache Shiro
Published: March 31, 2020
Security Bulletin ID
SB2020033112
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authentication (CVE-ID: CVE-2020-1957)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an authentication bypass when using Apache Shiro with Spring dynamic controllers. A remote attacker can send a specially crafted request and bypass authentication process.
Remediation
Install update from vendor's website.
References
- https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E
- https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E
- https://github.com/apache/shiro/commit/c7c9c57d69a180dce679c5f26d4f6db64b250a7e