Name |
Description |
CVE-2025-45613 |
Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload.
|
CVE-2025-29315 |
An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.
|
CVE-2025-29314 |
Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack.
|
CVE-2024-0356 |
A vulnerability has been found in Mandelo ssm_shiro_blog 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file updateRoles of the component Backend. The manipulation leads to improper access controls. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250123.
|
CVE-2023-46750 |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
|
CVE-2023-46749 |
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
|
CVE-2023-34478 |
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
|
CVE-2023-22602 |
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`
|
CVE-2022-40664 |
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
|
CVE-2022-32532 |
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
|
CVE-2022-22928 |
MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code.
|
CVE-2021-41303 |
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
|
CVE-2021-38241 |
Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.
|
CVE-2020-27216 |
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
|
CVE-2020-1957 |
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
|
CVE-2020-19229 |
Jeesite 1.2.7 uses the apache shiro version 1.2.3 affected by CVE-2016-4437. Because of this version of the java deserialization vulnerability, an attacker could exploit the vulnerability to execute arbitrary commands via the rememberMe parameter.
|
CVE-2020-17523 |
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
|
CVE-2020-17510 |
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
|
CVE-2020-13933 |
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
|
CVE-2020-11989 |
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
|
CVE-2019-12422 |
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
|
CVE-2019-10086 |
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
|
CVE-2018-20437 |
** DISPUTED ** An issue was discovered in the fileDownload function in the CommonController class in FEBS-Shiro before 2018-11-05. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false. NOTE: the software maintainer disputes the significance of this report because the product uses a JAR archive for deployment, and this contains application.yml with configuration data.
|
CVE-2016-6802 |
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
|
CVE-2016-4437 |
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
|
CVE-2014-0074 |
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
|
CVE-2010-3863 |
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
|