CVE-2022-32532
Authorization Bypass vulnerability in shiro-core (Maven)
What is CVE-2022-32532 About?
Apache Shiro before version 1.9.1 contains an authorization bypass vulnerability when `RegexRequestMatcher` is misconfigured. This allows attackers to bypass security restrictions using specific regular expression patterns, leading to unauthorized access. Exploitation is relatively easy if the specific misconfiguration is present.
Affected Software
Technical Details
The vulnerability affects Apache Shiro versions prior to 1.9.1, specifically when using RegExPatternMatcher with a misconfigured RegexRequestMatcher. The core issue arises when a regular expression in the RegExPatternMatcher uses the . character. On some servlet containers, the interpretation or handling of the . within the regex can be inconsistent or incomplete, leading to an authorization bypass. An attacker can craft a request URL that matches the misconfigured regex in a way that bypasses the intended authorization rules, despite not strictly adhering to the pattern, thus gaining unauthorized access to protected resources.
What is the Impact of CVE-2022-32532?
Successful exploitation may allow attackers to bypass security restrictions, leading to unauthorized access to protected resources or functionalities.
What is the Exploitability of CVE-2022-32532?
Exploiting this vulnerability has a low to moderate complexity level. The primary prerequisite is the presence of an Apache Shiro application running a version prior to 1.9.1, and crucially, a misconfiguration involving RegExPatternMatcher with . in the regular expression. No specific authentication or privilege requirements are mentioned for the bypass itself, as it leverages how authorization rules are evaluated. The attack is remote, as it involves crafting specific HTTP requests to the web application. The presence of . in the regex and its interaction with specific servlet containers are key conditions that increase the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Lay0us | Link | Apache Shiro CVE-2022-32532 |
| my0113 | Link | PoC for CVE-2022-32532 |
What are the Available Fixes for CVE-2022-32532?
About the Fix from Resolved Security
This patch ensures that regular expressions are always compiled with the DOTALL flag, allowing patterns like .* to match newline characters, which previously could allow unauthorized access due to incomplete request matching in Apache Shiro. By doing this, it addresses CVE-2022-32532 where attackers could bypass security restrictions by including newline characters in input, preventing the pattern matcher from validating entire request strings as intended.
Available Upgrade Options
- org.apache.shiro:shiro-core
- <1.9.1 → Upgrade to 1.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2022-32532?
Similar Vulnerabilities: CVE-2020-11989 , CVE-2020-13933 , CVE-2016-4437 , CVE-2020-17523 , CVE-2021-34468
