CVE-2022-40664
Authentication Bypass vulnerability in shiro-core (Maven)
What is CVE-2022-40664 About?
This vulnerability affects Apache Shiro before version 1.10.0, enabling an authentication bypass. It allows attackers to circumvent authentication mechanisms when an application forwards or includes requests via RequestDispatcher, potentially gaining unauthorized access. Exploitation is likely straightforward once the specific conditions are met.
Affected Software
Technical Details
The Apache Shiro authentication bypass vulnerability occurs due to improper handling of request forwarding or inclusion via the RequestDispatcher mechanism. When an application forwards or includes a request, Shiro's security filters might not be correctly applied to the subsequent processing steps. This mismatch in security context can allow requests that would normally be blocked by Shiro's authentication rules to bypass them entirely. An attacker can craft a request that leverages this forwarding/inclusion flaw to access protected resources without proper authentication, effectively bypassing the security controls implemented by Shiro.
What is the Impact of CVE-2022-40664?
Successful exploitation may allow attackers to bypass authentication controls and gain unauthorized access to protected resources.
What is the Exploitability of CVE-2022-40664?
Exploitation involves a moderate complexity level, requiring knowledge of Shiro's internal request processing and the target application's use of RequestDispatcher for forwarding or inclusion. No prior authentication is explicitly required to initiate the attack, as it targets the authentication mechanism itself. Privilege requirements are low, as the goal is to gain unauthorized access from an unauthenticated state. The vulnerability is typically exploited remotely on web applications. Specific configurations involving RequestDispatcher are prerequisites, and the likelihood of exploitation increases if the application heavily relies on request forwarding or inclusion in ways that inadvertently expose this flaw.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40664?
Available Upgrade Options
- org.apache.shiro:shiro-core
- <1.10.0 → Upgrade to 1.10.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20221118-0005/
- http://www.openwall.com/lists/oss-security/2022/10/12/2
- http://www.openwall.com/lists/oss-security/2022/10/13/1
- https://github.com/apache/shiro
- http://www.openwall.com/lists/oss-security/2022/10/12/1
- http://www.openwall.com/lists/oss-security/2022/10/13/1
- http://www.openwall.com/lists/oss-security/2022/10/12/2
- https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg
- https://nvd.nist.gov/vuln/detail/CVE-2022-40664
- http://www.openwall.com/lists/oss-security/2022/10/12/1
What are Similar Vulnerabilities to CVE-2022-40664?
Similar Vulnerabilities: CVE-2020-13933 , CVE-2020-1947 , CVE-2021-44228 , CVE-2020-11987 , CVE-2022-22965
