{"url":"http://public2.vulnerablecode.io/api/packages/516645?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@1.7.1","type":"maven","namespace":"org.apache.shiro","name":"shiro-core","version":"1.7.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.1.0","latest_non_vulnerable_version":"2.1.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/149810?format=json","vulnerability_id":"VCID-5mgd-9nh4-vqgj","summary":"When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.\n\nThe authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.\nMitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value:  `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22602.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22602.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22602","reference_id":"","reference_type":"","scores":[{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44324","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44484","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44497","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44477","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22602"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22602","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22602"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22602","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22602"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029039","reference_id":"1029039","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029039"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2182198","reference_id":"2182198","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2182198"},{"reference_url":"https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl","reference_id":"dzj0k2smpzzgj6g666hrbrgsrlf9yhkl","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:25:09Z/"}],"url":"https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl"},{"reference_url":"https://github.com/advisories/GHSA-7cxr-h8wm-fg4c","reference_id":"GHSA-7cxr-h8wm-fg4c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cxr-h8wm-fg4c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2100","reference_id":"RHSA-2023:2100","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2100"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3954","reference_id":"RHSA-2023:3954","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3954"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392780?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@1.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kn5e-qvx2-qqdd"},{"vulnerability":"VCID-s5uq-a9tm-6bb3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@1.11.0"}],"aliases":["CVE-2023-22602","GHSA-7cxr-h8wm-fg4c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5mgd-9nh4-vqgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208803?format=json","vulnerability_id":"VCID-6n63-12cb-dyfp","summary":"Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41303.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41303.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41303","reference_id":"","reference_type":"","scores":[{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.97858","published_at":"2026-06-12T12:55:00Z"},{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.97849","published_at":"2026-06-11T12:55:00Z"},{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.9786","published_at":"2026-06-14T12:55:00Z"},{"value":"0.49287","scoring_system":"epss","scoring_elements":"0.97859","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41303"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41303","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41303"},{"reference_url":"https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41303"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220609-0001","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20220609-0001"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220609-0001/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20220609-0001/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014819","reference_id":"1014819","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014819"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2006058","reference_id":"2006058","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2006058"},{"reference_url":"https://github.com/advisories/GHSA-f6jp-j6w3-w9hm","reference_id":"GHSA-f6jp-j6w3-w9hm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6jp-j6w3-w9hm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382628?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5mgd-9nh4-vqgj"},{"vulnerability":"VCID-kn5e-qvx2-qqdd"},{"vulnerability":"VCID-mn2c-tb5g-rfd4"},{"vulnerability":"VCID-nq23-xpnc-6uad"},{"vulnerability":"VCID-s5uq-a9tm-6bb3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@1.8.0"}],"aliases":["CVE-2021-41303","GHSA-f6jp-j6w3-w9hm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6n63-12cb-dyfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/132697?format=json","vulnerability_id":"VCID-kn5e-qvx2-qqdd","summary":"Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46749.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46749.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46749","reference_id":"","reference_type":"","scores":[{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.42012","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.4202","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.41847","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.42031","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46749"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46749","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46749"},{"reference_url":"https://security.netapp.com/advisory/ntap-20241108-0002","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20241108-0002"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060754","reference_id":"1060754","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060754"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258134","reference_id":"2258134","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258134"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46749","reference_id":"CVE-2023-46749","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46749"},{"reference_url":"https://github.com/advisories/GHSA-jc7h-c423-mpjc","reference_id":"GHSA-jc7h-c423-mpjc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jc7h-c423-mpjc"},{"reference_url":"https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm","reference_id":"mdv7ftz7k4488rzloxo2fb0p9shnp9wm","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T20:15:57Z/"}],"url":"https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3354","reference_id":"RHSA-2024:3354","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3354"},{"reference_url":"https://usn.ubuntu.com/7147-1/","reference_id":"USN-7147-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7147-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28408?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@1.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-s5uq-a9tm-6bb3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@1.13.0"},{"url":"http://public2.vulnerablecode.io/api/packages/28407?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@2.0.0-alpha4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@2.0.0-alpha4"},{"url":"http://public2.vulnerablecode.io/api/packages/685711?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@2.0.0-alpha-4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-s5uq-a9tm-6bb3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@2.0.0-alpha-4"}],"aliases":["CVE-2023-46749","GHSA-jc7h-c423-mpjc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kn5e-qvx2-qqdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209315?format=json","vulnerability_id":"VCID-mn2c-tb5g-rfd4","summary":"Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32532.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32532.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32532","reference_id":"","reference_type":"","scores":[{"value":"0.81936","scoring_system":"epss","scoring_elements":"0.99229","published_at":"2026-06-13T12:55:00Z"},{"value":"0.81936","scoring_system":"epss","scoring_elements":"0.99226","published_at":"2026-06-11T12:55:00Z"},{"value":"0.81936","scoring_system":"epss","scoring_elements":"0.99228","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32532"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014820","reference_id":"1014820","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014820"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107130","reference_id":"2107130","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107130"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532","reference_id":"CVE-2022-32532","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32532"},{"reference_url":"https://github.com/advisories/GHSA-4cf5-xmhp-3xj7","reference_id":"GHSA-4cf5-xmhp-3xj7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4cf5-xmhp-3xj7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25134?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@1.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5mgd-9nh4-vqgj"},{"vulnerability":"VCID-kn5e-qvx2-qqdd"},{"vulnerability":"VCID-nq23-xpnc-6uad"},{"vulnerability":"VCID-s5uq-a9tm-6bb3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@1.9.1"}],"aliases":["CVE-2022-32532","GHSA-4cf5-xmhp-3xj7"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mn2c-tb5g-rfd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/174010?format=json","vulnerability_id":"VCID-nq23-xpnc-6uad","summary":"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40664.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40664.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40664","reference_id":"","reference_type":"","scores":[{"value":"0.00542","scoring_system":"epss","scoring_elements":"0.68253","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00542","scoring_system":"epss","scoring_elements":"0.68256","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00542","scoring_system":"epss","scoring_elements":"0.68243","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00708","scoring_system":"epss","scoring_elements":"0.72653","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40664"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40664","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40664"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221118-0005","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20221118-0005"},{"reference_url":"https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/10/12/1","reference_id":"1","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/10/12/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/10/13/1","reference_id":"1","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/10/13/1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021671","reference_id":"1021671","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021671"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/10/12/2","reference_id":"2","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/10/12/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2193469","reference_id":"2193469","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2193469"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664","reference_id":"CVE-2022-40664","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40664"},{"reference_url":"https://github.com/advisories/GHSA-45x9-q6vj-cqgq","reference_id":"GHSA-45x9-q6vj-cqgq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-45x9-q6vj-cqgq"},{"reference_url":"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg","reference_id":"loc2ktxng32xpy7lfwxto13k4lvnhjwg","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221118-0005/","reference_id":"ntap-20221118-0005","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:02:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20221118-0005/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27342?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@1.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5mgd-9nh4-vqgj"},{"vulnerability":"VCID-kn5e-qvx2-qqdd"},{"vulnerability":"VCID-s5uq-a9tm-6bb3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@1.10.0"}],"aliases":["CVE-2022-40664","GHSA-45x9-q6vj-cqgq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nq23-xpnc-6uad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66983?format=json","vulnerability_id":"VCID-s5uq-a9tm-6bb3","summary":"Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23901.json","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23901.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23901","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00871","published_at":"2026-06-14T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00862","published_at":"2026-06-12T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00868","published_at":"2026-06-13T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00941","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23901"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23901","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23901"},{"reference_url":"https://github.com/apache/shiro","reference_id":"","reference_type":"","scores":[{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/shiro"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/08/2","reference_id":"","reference_type":"","scores":[{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/08/2"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127944","reference_id":"1127944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127944"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438436","reference_id":"2438436","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438436"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23901","reference_id":"CVE-2026-23901","reference_type":"","scores":[{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23901"},{"reference_url":"https://github.com/advisories/GHSA-c4qc-4q9p-m9q9","reference_id":"GHSA-c4qc-4q9p-m9q9","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4qc-4q9p-m9q9"},{"reference_url":"https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh","reference_id":"mm1jct9b86jvnh3y44tj22xvjtx3xhhh","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green"},{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:31:09Z/"}],"url":"https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39047?format=json","purl":"pkg:maven/org.apache.shiro/shiro-core@2.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@2.1.0"}],"aliases":["CVE-2026-23901","GHSA-c4qc-4q9p-m9q9"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s5uq-a9tm-6bb3"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.shiro/shiro-core@1.7.1"}