Vulnerability in Apache Shiro
CVE-2020-13933
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
EPSS: 0.809 (99.2th percentile) — read the EPSS interpretation.
Affected products
- N/a Apache Shiro — versions Apache Shiro before version 1.6.0
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876… (x_refsource_MISC)
- [geode-dev] 20200831 Proposal to bring GEODE-8456 (shiro upgrade) to support branches (mailing-list, x_refsource_MLIST)
- [geode-dev] 20200901 Re: Proposal to bring GEODE-8456 (shiro upgrade) to support branches (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20200924 Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20201004 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20201217 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20201219 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20201220 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20201221 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20201222 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-13933?
- CVE-2020-13933 is a vulnerability in Apache Shiro. Published 2020-08-17.
- Is CVE-2020-13933 known to be exploited?
- 42 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.