CVE-2020-17510: Apache Shiro Authentication Bypass Vulnerability Alert

On October 02, 2020, Apache Shiro had issued a risk notice about the Shiro authentication bypass vulnerability. The vulnerability number is CVE-2020-17510. The vulnerability level is high risk.
Apache Shiro focuses on ease-of-use, so you can rely on secure, stable authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application. 

“Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially  crafted HTTP request may cause an authentication bypass.”

Apache Shiro Padding Oracle Vulnerability

Vulnerability Detail

Due to the difference between Shiro and Spring in processing URLs, when using Apache Shiro with Spring, remote attackers can send specially crafted HTTP requests and bypass the authentication process and gain unauthorized access to the application.

Affected version

  • Apache Shiro  < 1.7

Unaffected version

  • Apache Shiro 1.7

Solution

In this regard, we recommend that users upgrade Shiro to the latest version in time.