On October 02, 2020, Apache Shiro had issued a risk notice about the Shiro authentication bypass vulnerability. The vulnerability number is CVE-2020-17510. The vulnerability level is high risk.
Apache Shiro focuses on ease-of-use, so you can rely on secure, stable authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application.
“Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.”
Due to the difference between Shiro and Spring in processing URLs, when using Apache Shiro with Spring, remote attackers can send specially crafted HTTP requests and bypass the authentication process and gain unauthorized access to the application.
- Apache Shiro < 1.7
- Apache Shiro 1.7
In this regard, we recommend that users upgrade Shiro to the latest version in time.