CVE-2023-22602

Name of the Vulnerable Software and Affected Versions Apache Shiro versions prior to 1.11.0 Spring Boot versions 2.6+

Description The issue is related to a conflict of interpretations between Apache Shiro and Spring Boot, which can be exploited by a remote attacker using a specially crafted HTTP request to bypass authentication. This occurs when Shiro and Spring Boot use different pattern-matching techniques, with both defaulting to Ant style pattern matching in versions prior to Spring Boot 2.6.

Recommendations Update to Apache Shiro 1.11.0 Set the Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant path matcher