CVE-2022-32532

CRITICAL

Apache Shiro < 1.9.1 - Incorrect Authorization

Title source: rule

Description

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Exploits (4)

nomisec WORKING POC 13 stars

by Lay0us · poc

https://github.com/Lay0us/CVE-2022-32532

View Code ZIP pw:eip

nomisec WORKING POC

by my0113 · poc

https://github.com/my0113/shiro-cve-2022-32532

View Code ZIP pw:eip

inthewild

poc

https://github.com/4ra1n/cve-2022-32532

View on inthewild

inthewild WORKING POC

poc

https://github.com/lay0us1/cve-2022-32532

View Code ZIP pw:eip

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh

Scores

CVSS v3 9.8

EPSS 0.8095

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-863

Status published

Products (2)

apache/shiro < 1.9.1

org.apache.shiro/shiro-core 0 - 1.9.1Maven

Published Jun 29, 2022

Tracked Since Feb 18, 2026