You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by Brian Demers <br...@gmail.com> on 2023/01/13 17:30:43 UTC

[ANNOUNCE][CVE-2023-22602] Apache Shiro 1.11.0 released

The Apache Shiro team is pleased to announce the release of Apache Shiro
version 1.11.0.
This is a feature release for 1.x.

This release solves 3 issues since the 1.11.0 release and is available for
download now[1].

This release includes classifiers for the Jakarta namespace.

CVE-2023-22602

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a
specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using
different pattern-matching techniques. Both Shiro and Spring Boot < 2.6
default to Ant style pattern matching.


Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot
configuration value:

spring.mvc.pathmatch.matching-strategy = ant_path_matcher


Credit:
Apache Shiro would like to thank v3ged0ge and Adamytd for reporting this
issue.


Bugs

* [SHIRO-903] - Shiro must use ant pattern matching with Spring
* [SHIRO-899] - Jakarta 9+ fails with Shiro native sessions

Improvements

* [SHIRO-889] - Provide Jakarta jar modules

Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation [2].

-The Apache Shiro Team

[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html