CVE-2022-32532

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Published: Jun 29, 2022
Updated: May 9, 2024
CVE: CVE-2022-32532
GHSA: GHSA-4cf5-xmhp-3xj7
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-863
CWE-285

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
apache / shiro	-	1.9.1
org.apache.shiro / shiro-core	-	1.9.1

https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh

Vulnerability Database

289,689

CVE-2022-32532