Platform
java
Component
org.apache.shiro:shiro-core
Fixed in
1.8.0
1.8.0
CVE-2021-41303 describes a critical authentication bypass vulnerability affecting Apache Shiro, a popular Java security framework. An attacker can exploit this flaw by sending a specially crafted HTTP request, potentially gaining unauthorized access to protected resources. This vulnerability impacts versions of Apache Shiro up to and including 1.7.1, but is resolved in version 1.8.0.
The impact of CVE-2021-41303 is severe. Successful exploitation allows an attacker to bypass authentication mechanisms entirely, effectively impersonating any user within the application. This could lead to unauthorized data access, modification, or deletion, as well as the ability to execute arbitrary code if the application has further vulnerabilities. The vulnerability's ease of exploitation, combined with Shiro's widespread use, makes it a high-priority concern. This bypass is particularly concerning in Spring Boot applications, which often integrate Shiro for authentication and authorization.
CVE-2021-41303 was publicly disclosed on September 20, 2021. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of widespread exploitation.
Exploit Status
EPSS
50.08% (98% percentile)
CVSS Vector
The primary mitigation for CVE-2021-41303 is to upgrade to Apache Shiro version 1.8.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include stricter input validation on HTTP requests, enhanced logging to detect suspicious activity, and potentially implementing a Web Application Firewall (WAF) rule to block requests containing known malicious patterns. Thoroughly test any workaround before deploying it to production. After upgrading, confirm the fix by attempting to reproduce the authentication bypass with a crafted HTTP request; it should fail.
Update Apache Shiro to version 1.8.0 or higher. This version corrects the authentication bypass vulnerability. The update can be performed through the Maven or Gradle dependency manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-41303 is a critical vulnerability in Apache Shiro versions 1.7.1 and below, where a crafted HTTP request can bypass authentication when used with Spring Boot, allowing unauthorized access.
You are affected if you are using Apache Shiro versions 1.7.1 or earlier, especially within a Spring Boot application. Check your Shiro version immediately.
Upgrade to Apache Shiro version 1.8.0 or later to resolve the authentication bypass vulnerability. If immediate upgrade is not possible, implement temporary workarounds like stricter input validation.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a likely target. Public PoCs exist.
Refer to the official Apache Shiro security advisory for detailed information and updates: https://shiro.apache.org/security/advisories/shiro-core-1.8.0.html
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.