{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-40664", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T12:21:46.341Z", "dateReserved": "2022-09-13T00:00:00", "datePublished": "2022-10-12T00:00:00"}, "containers": {"cna": {"title": "Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-11-18T00:00:00"}, "descriptions": [{"lang": "en", "value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Shiro", "versions": [{"version": "Apache Shiro", "status": "affected", "lessThan": "1.10.0", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"}, {"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"}, {"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"}, {"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"}, {"url": "https://security.netapp.com/advisory/ntap-20221118-0005/"}], "credits": [{"lang": "en", "value": "Apache Shiro would like to thank Y4tacker for reporting this issue"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-287 Improper Authentication", "cweId": "CWE-287"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:21:46.341Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg", "tags": ["x_transferred"]}, {"name": "[oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"}, {"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"}, {"name": "[oss-security] 20221012 Re: CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"}, {"url": "https://security.netapp.com/advisory/ntap-20221118-0005/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D80A654-E0DF-4E5D-8EB7-819A50F76F26", "versionEndExcluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."}, {"lang": "es", "value": "Apache Shiro versiones anteriores a 1.10.0, una vulnerabilidad de Omisi\u00f3n de Autenticaci\u00f3n en Shiro cuando es reenviado o es incluida por medio de RequestDispatcher"}], "id": "CVE-2022-40664", "lastModified": "2024-11-21T07:21:49.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-12T07:15:09.100", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Release Notes", "Vendor Advisory"], "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"}, {"source": "security@apache.org", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes", "Vendor Advisory"], "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221118-0005/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "shiro: Authentication Bypass Vulnerability", "id": "2193469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2193469"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-287", "details": ["Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.", "A flaw was found in Apache Shiro. An authentication bypass vulnerability occurs when forwarding or including via the RequestDispatcher."], "name": "CVE-2022-40664", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "shiro-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "shiro-core", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "shiro-core", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "shiro-core", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "shiro-core", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2022-10-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-40664\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-40664"], "threat_severity": "Important", "upstream_fix": "Apache Shiro 1.10.0"}