CVE-2021-41303 — Apache Shiro vulnerable to a specially crafted HTTP request causing an authentic

Description

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

How to fix CVE-2021-41303

To remediate CVE-2021-41303, upgrade the affected package to a fixed version below.

Debian/shiro—no fix listed
—upgrade to 1.8.0 or later

Is CVE-2021-41303 being exploited?

Moderate — EPSS is 49.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0
from 0, < 1.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-41303
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-41303
WEBlists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E
WEBlists.apache.org