Vulnerability in Apache Software Foundation Shiro
CVE-2020-11989
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
EPSS: 0.847 (99.4th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Shiro — versions Apache Shiro 1.5.2 - 1.5.3
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511… (x_refsource_MISC)
- [shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness (mailing-list, x_refsource_MLIST)
- [shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html (mailing-list, x_refsource_MLIST)
- [shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html (mailing-list, x_refsource_MLIST)
- [geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches (mailing-list, x_refsource_MLIST)
- [geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches (mailing-list, x_refsource_MLIST)
- [shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-11989?
- CVE-2020-11989 is a vulnerability in Apache Software Foundation Shiro. Published 2020-06-22.
- Is CVE-2020-11989 known to be exploited?
- 31 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.