CVE-2023-22602

HIGH

Apache Shiro < 1.11.0 - Interpretation Conflict

Title source: rule

Description

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`

References (2)

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230302-0001/

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl

Scores

CVSS v3 7.5

EPSS 0.0016

EPSS Percentile 35.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-436

Status published

Products (3)

apache/shiro < 1.11.0

org.apache.shiro/shiro-root 0 - 1.11.0Maven

vmware/spring_boot 2.6.0 \+

Published Jan 14, 2023

Tracked Since Feb 18, 2026