Impact
A specially crafted HTTP request against Apache Shiro when the shiro-guice module is integrated in a web servlet context can bypass authentication, allowing an attacker to impersonate any user. This flaw is a credential management vulnerability (CWE-289) that undermines confidentiality and integrity of protected resources.
Affected Systems
The vulnerability affects all releases of Apache Shiro through version 2.x and the 3.0.0-alpha-1 release when the shiro-guice module is used within a servlet-based web application.
Risk and Exploitability
The CVSS score of 8.2 reflects a high severity exploitation risk, though no EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote via HTTP, requiring only that the application exposes a servlet using shiro-guice. An attacker can craft requests without needing privileged credentials, which makes the exploit straightforward in a reachable web environment.
OpenCVE Enrichment