प्लेटफ़ॉर्म
java
घटक
org.apache.shiro:shiro-core
में ठीक किया गया
1.8.0
1.8.0
CVE-2021-41303 describes a critical authentication bypass vulnerability affecting Apache Shiro, a popular Java security framework. An attacker can exploit this flaw by sending a specially crafted HTTP request, potentially gaining unauthorized access to protected resources. This vulnerability impacts versions of Apache Shiro up to and including 1.7.1, but is resolved in version 1.8.0.
The impact of CVE-2021-41303 is severe. Successful exploitation allows an attacker to bypass authentication mechanisms entirely, effectively impersonating any user within the application. This could lead to unauthorized data access, modification, or deletion, as well as the ability to execute arbitrary code if the application has further vulnerabilities. The vulnerability's ease of exploitation, combined with Shiro's widespread use, makes it a high-priority concern. This bypass is particularly concerning in Spring Boot applications, which often integrate Shiro for authentication and authorization.
CVE-2021-41303 was publicly disclosed on September 20, 2021. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of widespread exploitation.
Organizations using Apache Shiro for authentication and authorization within Spring Boot applications are at significant risk. This includes businesses relying on web applications with sensitive data, particularly those using older Shiro versions without robust security practices. Shared hosting environments where multiple applications share the same Shiro instance are also at increased risk.
• java / server:
find / -name "shiro-core-*.jar" -print0 | xargs -0 grep -i "org.apache.shiro.spring.SpringShiroLifecycleProcessor"• generic web:
curl -I https://your-application.com/ | grep Server• java / application:
Review application code for usage of org.apache.shiro.spring.SpringShiroLifecycleProcessor and ensure Shiro version is >= 1.8.0.
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
50.08% (98% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2021-41303 is to upgrade to Apache Shiro version 1.8.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include stricter input validation on HTTP requests, enhanced logging to detect suspicious activity, and potentially implementing a Web Application Firewall (WAF) rule to block requests containing known malicious patterns. Thoroughly test any workaround before deploying it to production. After upgrading, confirm the fix by attempting to reproduce the authentication bypass with a crafted HTTP request; it should fail.
Actualice Apache Shiro a la versión 1.8.0 o superior. Esta versión corrige la vulnerabilidad de omisión de autenticación. La actualización se puede realizar a través del gestor de dependencias Maven o Gradle.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2021-41303 is a critical vulnerability in Apache Shiro versions 1.7.1 and below, where a crafted HTTP request can bypass authentication when used with Spring Boot, allowing unauthorized access.
You are affected if you are using Apache Shiro versions 1.7.1 or earlier, especially within a Spring Boot application. Check your Shiro version immediately.
Upgrade to Apache Shiro version 1.8.0 or later to resolve the authentication bypass vulnerability. If immediate upgrade is not possible, implement temporary workarounds like stricter input validation.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a likely target. Public PoCs exist.
Refer to the official Apache Shiro security advisory for detailed information and updates: https://shiro.apache.org/security/advisories/shiro-core-1.8.0.html
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी pom.xml फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।