Vulnerability in Apache Shiro
CVE-2020-1957
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
EPSS: 0.886 (99.5th percentile) — read the EPSS interpretation.
Affected products
- N/a Apache Shiro — versions Apache Shiro to 1.5.2
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be23889564… (x_refsource_MISC)
- [camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957 (mailing-list, x_refsource_MLIST)
- [geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12 (mailing-list, x_refsource_MLIST)
- [debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update (mailing-list, x_refsource_MLIST)
- [shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html (mailing-list, x_refsource_MLIST)
- [shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html (mailing-list, x_refsource_MLIST)
- [shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-1957?
- CVE-2020-1957 is a vulnerability in Apache Shiro. Published 2020-03-25.
- Is CVE-2020-1957 known to be exploited?
- 34 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.