Impact
The flaw in Apache Shiro's DefaultLdapRealm enables LDAP DN injection. A remote attacker can craft a username containing RFC 2253 special characters that are concatenated directly into the DN template without escaping, allowing manipulation of the DN used for LDAP bind authentication. This can result in authentication bypass or user impersonation.
Affected Systems
All Apache Shiro releases up to and including version 2.2.0, and the 3.0.0‑alpha-1 build that employs DefaultLdapRealm are affected. Upgrading to Apache Shiro 2.2.1 or 3.0.0‑alpha-2 or later fixes the vulnerability.
Risk and Exploitability
The vulnerability receives a CVSS score of 8.8, denoting high severity. No EPSS score is publicly available, and it is not listed in CISA’s KEV database. The likely attack vector is remote unauthenticated access, where the attacker supplies a crafted username containing LDAP special characters over the network to trigger the injection. Based on the description, it is inferred that no prior authentication is required to exploit the flaw. Because the injection can modify the LDAP DN structure, the attacker can bypass authentication or impersonate other users, potentially compromising confidentiality and integrity.
OpenCVE Enrichment
Github GHSA