CVE-2020-17523: Apache Shiro Authentication Bypass Vulnerability Alert

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

Recently, Apache Shiro officially issued a security announcement, disclosing that Apache Shiro version <1.7.1 has an authentication bypass vulnerability (CVE-2020-17523) when used with Spring. Attackers may cause authentication bypass by sending specially crafted HTTP requests.

Affected version

  • Apache Shiro < 1.7.1

Unaffected version

  • Apache Shiro 1.7.1

Solution

At present, the latest Apache Shiro version 1.7.1 has been officially released to fix this vulnerability, and affected users are requested to upgrade to the unaffected version as soon as possible.