Apache Shiro Authentication Bypass Vulnerability (CVE-2023-34478)

Jul 27, 2023 GMT+08:00

I. Overview

Recently, Apache Shiro has released an official security notice, disclosing that Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests. An attacker would craft special HTTP request to bypass identity authentication.

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. If you are an Apache Shiro user, check your versions and implement timely security hardening.

References

http://www.openwall.com/lists/oss-security/2023/07/24/4

https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Shiro < 1.12.0

Apache Shiro < 2.0.0-alpha-3

Secure versions:

Apache Shiro >= 1.12.0

Apache Shiro >= 2.0.0-alpha-3

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/apache/shiro/tags

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.