What is CVE-2022-32532?

CVE-2022-32532 is a vulnerability in Apache Software Foundation Shiro, classified under Incorrect Authorization. Published 2022-06-28.

Is CVE-2022-32532 known to be exploited?

31 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Apache Software Foundation Shiro

CVE-2022-32532

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Vulnerability class: Broken Access Control

EPSS: 0.819 (99.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Shiro — versions Before 1.9.1

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

Public proof-of-concept exploits

References

lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-32532?: CVE-2022-32532 is a vulnerability in Apache Software Foundation Shiro, classified under Incorrect Authorization. Published 2022-06-28.
Is CVE-2022-32532 known to be exploited?: 31 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.