{"url":"http://public2.vulnerablecode.io/api/packages/277635?format=json","purl":"pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.5.2","type":"maven","namespace":"org.apache.shiro","name":"shiro-spring-boot-web-starter","version":"1.5.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.11.0","latest_non_vulnerable_version":"1.11.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53766?format=json","vulnerability_id":"VCID-1t9b-4dng-byd5","summary":"Missing Authentication for Critical Function\nApache Shiro, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-17510.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-17510.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-17510","reference_id":"","reference_type":"","scores":[{"value":"0.01799","scoring_system":"epss","scoring_elements":"0.83153","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01799","scoring_system":"epss","scoring_elements":"0.83141","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01799","scoring_system":"epss","scoring_elements":"0.83148","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01799","scoring_system":"epss","scoring_elements":"0.83151","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01799","scoring_system":"epss","scoring_elements":"0.83126","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01799","scoring_system":"epss","scoring_elements":"0.83152","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-17510"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17510","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17510"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"https://github.com/apache/shiro/commit/dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro/commit/dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d"},{"reference_url":"https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6@%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r95bdf3703858b5f958b5e190d747421771b430d97095880db91980d6@%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1903727","reference_id":"1903727","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1903727"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988728","reference_id":"988728","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988728"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17510","reference_id":"CVE-2020-17510","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17510"},{"reference_url":"https://github.com/advisories/GHSA-7cj4-gj8m-m2f7","reference_id":"GHSA-7cj4-gj8m-m2f7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cj4-gj8m-m2f7"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3140","reference_id":"RHSA-2021:3140","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3140"},{"reference_url":"https://usn.ubuntu.com/6352-1/","reference_id":"USN-6352-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6352-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79062?format=json","purl":"pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4gs5-8qe5-vqg9"},{"vulnerability":"VCID-amds-41as-8yfy"},{"vulnerability":"VCID-dnja-zzkd-7qcu"},{"vulnerability":"VCID-yzg7-zr9w-qubf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.7.0"}],"aliases":["CVE-2020-17510","GHSA-7cj4-gj8m-m2f7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1t9b-4dng-byd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100813?format=json","vulnerability_id":"VCID-4gs5-8qe5-vqg9","summary":"shiro: Authentication Bypass Vulnerability","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40664.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40664.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40664","reference_id":"","reference_type":"","scores":[{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72603","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72564","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72604","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72611","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72593","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72579","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40664"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40664","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40664"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221118-0005","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20221118-0005"},{"reference_url":"https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/10/12/1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/10/12/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/10/12/2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/10/12/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/10/13/1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/10/13/1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021671","reference_id":"1021671","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021671"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2193469","reference_id":"2193469","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2193469"},{"reference_url":"https://github.com/advisories/GHSA-45x9-q6vj-cqgq","reference_id":"GHSA-45x9-q6vj-cqgq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-45x9-q6vj-cqgq"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221118-0005/","reference_id":"ntap-20221118-0005","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20221118-0005/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/504513?format=json","purl":"pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-amds-41as-8yfy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.10.0"}],"aliases":["CVE-2022-40664","GHSA-45x9-q6vj-cqgq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4gs5-8qe5-vqg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54696?format=json","vulnerability_id":"VCID-amds-41as-8yfy","summary":"Interpretation Conflict\nWhen using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22602.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22602.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22602","reference_id":"","reference_type":"","scores":[{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44267","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4424","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44308","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44317","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44292","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44255","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22602"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22602","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22602"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:25:09Z/"}],"url":"https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029039","reference_id":"1029039","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029039"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2182198","reference_id":"2182198","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2182198"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22602","reference_id":"CVE-2023-22602","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22602"},{"reference_url":"https://github.com/advisories/GHSA-7cxr-h8wm-fg4c","reference_id":"GHSA-7cxr-h8wm-fg4c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cxr-h8wm-fg4c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2100","reference_id":"RHSA-2023:2100","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2100"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81133?format=json","purl":"pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.11.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.11.0"}],"aliases":["CVE-2023-22602","GHSA-7cxr-h8wm-fg4c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-amds-41as-8yfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41477?format=json","vulnerability_id":"VCID-dnja-zzkd-7qcu","summary":"Improper Authentication\nWhen using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41303.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41303.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41303","reference_id":"","reference_type":"","scores":[{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.97844","published_at":"2026-06-08T12:55:00Z"},{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.97838","published_at":"2026-06-04T12:55:00Z"},{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.97842","published_at":"2026-06-05T12:55:00Z"},{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.97843","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41303"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41303","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41303"},{"reference_url":"https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220609-0001","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20220609-0001"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220609-0001/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20220609-0001/"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014819","reference_id":"1014819","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014819"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2006058","reference_id":"2006058","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2006058"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303","reference_id":"CVE-2021-41303","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303"},{"reference_url":"https://github.com/advisories/GHSA-f6jp-j6w3-w9hm","reference_id":"GHSA-f6jp-j6w3-w9hm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6jp-j6w3-w9hm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59023?format=json","purl":"pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4gs5-8qe5-vqg9"},{"vulnerability":"VCID-amds-41as-8yfy"},{"vulnerability":"VCID-yzg7-zr9w-qubf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.8.0"}],"aliases":["CVE-2021-41303","GHSA-f6jp-j6w3-w9hm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dnja-zzkd-7qcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100909?format=json","vulnerability_id":"VCID-yzg7-zr9w-qubf","summary":"Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32532.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32532.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32532","reference_id":"","reference_type":"","scores":[{"value":"0.81936","scoring_system":"epss","scoring_elements":"0.99224","published_at":"2026-06-09T12:55:00Z"},{"value":"0.81936","scoring_system":"epss","scoring_elements":"0.99222","published_at":"2026-06-04T12:55:00Z"},{"value":"0.81936","scoring_system":"epss","scoring_elements":"0.99223","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32532"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014820","reference_id":"1014820","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014820"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107130","reference_id":"2107130","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107130"},{"reference_url":"https://github.com/advisories/GHSA-4cf5-xmhp-3xj7","reference_id":"GHSA-4cf5-xmhp-3xj7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4cf5-xmhp-3xj7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/503976?format=json","purl":"pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4gs5-8qe5-vqg9"},{"vulnerability":"VCID-amds-41as-8yfy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.9.1"}],"aliases":["CVE-2022-32532","GHSA-4cf5-xmhp-3xj7"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yzg7-zr9w-qubf"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-spring-boot-web-starter@1.5.2"}