Vulnerability Name:

CVE-2020-1957 (CCN-178252)

Assigned:2019-12-02
Published:2020-03-23
Updated:2022-03-31
Summary:Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2020-1957

Source: XF
Type: UNKNOWN
apache-cve20201957-sec-bypass(178252)

Source: MISC
Type: Mailing List, Vendor Advisory
https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[shiro-commits] 20200817 svn commit: r1880941 - /shiro/site/publish/security-reports.html

Source: MLIST
Type: Mailing List, Vendor Advisory
[geode-dev] 20200406 Proposal to bring GEODE-7941 to support/1.12

Source: MLIST
Type: Mailing List, Vendor Advisory
[camel-commits] 20200325 [camel] branch camel-3.0.x updated: Updating Shiro to 1.5.2 due to CVE-2020-1957

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200419 [SECURITY] [DLA 2181-1] shiro security update

Source: CCN
Type: oss-sec Mailing List, Mon, 23 Mar 2020 14:16:50 -0400
[CVE-2020-1957] Apache Shiro 1.5.2 released

Source: CCN
Type: Apache Shiro Web site
Apache Shiro

Source: CCN
Type: IBM Security Bulletin 6491163 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-1957

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:shiro:*:*:*:*:*:*:*:* (Version < 1.5.2)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:shiro:1.5.1:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache shiro *
    debian debian linux 8.0
    apache shiro 1.5.1
    ibm planning analytics 2.0