What is CVE-2021-41303?

CVE-2021-41303 is a vulnerability in Apache Software Foundation Shiro, classified under Improper Authentication. Published 2021-09-17.

Is CVE-2021-41303 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Apache Software Foundation Shiro

CVE-2021-41303

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Vulnerability class: Broken Authentication

EPSS: 0.756 (99.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Shiro — versions Apache Shiro

Weakness classification (CWE)

CWE-287 — Improper Authentication

Public proof-of-concept exploits

References

lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbb… (x_refsource_MISC)
[shiro-user] 20210929 Re: CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpujul2022.html (x_refsource_MISC)
security.netapp.com/advisory/ntap-20220609-0001/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2021-41303?: CVE-2021-41303 is a vulnerability in Apache Software Foundation Shiro, classified under Improper Authentication. Published 2021-09-17.
Is CVE-2021-41303 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.