Vulnerability in Apache Shiro
CVE-2020-17523
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
EPSS: 0.888 (99.5th percentile) — read the EPSS interpretation.
Affected products
- N/a Apache Shiro — versions before 1.7.1
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b… (x_refsource_MISC)
- [activemq-gitbox] 20210210 [GitHub] [activemq] ehossack-aws opened a new pull request #614: Update shiro to 1.7.1 (mailing-list, x_refsource_MLIST)
- [activemq-issues] 20210301 [jira] [Created] (AMQ-8159) High severity security issues found in Apache Shiro v.1.7.0 (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20210331 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20210407 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20210424 Re: Ask help for upgrading Shiro in CDH platform to 1.7.1 (mailing-list, x_refsource_MLIST)
- [activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs (mailing-list, x_refsource_MLIST)
- [shiro-dev] 20210504 Re: Request for assistance to backport CVE-2020-13933 fix (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-17523?
- CVE-2020-17523 is a vulnerability in Apache Shiro. Published 2021-02-03.
- Is CVE-2020-17523 known to be exploited?
- 29 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.