Vulnerable Library - buji-pac4j-3.2.0.jar
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (buji-pac4j version) |
Remediation Possible** |
Reachability |
| CVE-2023-34478 |
 Critical |
9.8 |
High |
0.0% |
shiro-core-1.4.0.jar |
Transitive |
9.0.0 |
✅ |
|
| CVE-2023-25581 |
Critical |
9.8 |
Not Defined |
19.0% |
pac4j-core-2.2.1.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2022-40664 |
Critical |
9.8 |
Not Defined |
0.70000005% |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
|
| CVE-2022-32532 |
Critical |
9.8 |
Not Defined |
80.9% |
shiro-core-1.4.0.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2021-41303 |
Critical |
9.8 |
Not Defined |
46.8% |
shiro-core-1.4.0.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2020-1957 |
Critical |
9.8 |
Not Defined |
88.6% |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
|
| CVE-2020-17523 |
Critical |
9.8 |
Not Defined |
88.8% |
shiro-web-1.4.0.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2020-17510 |
Critical |
9.8 |
Not Defined |
1.8% |
shiro-web-1.4.0.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2020-11989 |
Critical |
9.8 |
Not Defined |
84.7% |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
|
| CVE-2025-48734 |
 High |
8.8 |
Not Defined |
0.2% |
commons-beanutils-1.9.3.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2020-13933 |
High |
7.5 |
Not Defined |
69.5% |
shiro-core-1.4.0.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2019-12422 |
High |
7.5 |
Not Defined |
54.9% |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
|
| CVE-2019-10086 |
High |
7.3 |
Not Defined |
1.2% |
commons-beanutils-1.9.3.jar |
Transitive |
5.0.0 |
✅ |
|
| CVE-2014-0114 |
High |
7.3 |
Not Defined |
92.7% |
commons-beanutils-1.9.3.jar |
Transitive |
5.0.0 |
✅ |
|
| CVE-2026-40458 |
High |
7.1 |
Not Defined |
0.0% |
pac4j-core-2.2.1.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2023-46749 |
 Medium |
6.5 |
Not Defined |
0.2% |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
|
| CVE-2023-46750 |
Medium |
6.1 |
Not Defined |
0.2% |
shiro-web-1.4.0.jar |
Transitive |
8.2.0 |
✅ |
|
| CVE-2026-23903 |
Medium |
5.3 |
Not Defined |
0.1% |
shiro-web-1.4.0.jar |
Transitive |
9.1.1 |
✅ |
|
| CVE-2026-23901 |
 Low |
2.5 |
Not Defined |
0.0% |
shiro-core-1.4.0.jar |
Transitive |
9.1.1 |
✅ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-34478
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Publish Date: 2023-07-24
URL: CVE-2023-34478
Threat Assessment
Exploit Maturity: High
EPSS: 0.0%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-24
Fix Resolution (org.apache.shiro:shiro-core): 1.12.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-25581
Vulnerable Library - pac4j-core-2.2.1.jar
Profile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.2.1/pac4j-core-2.2.1.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ pac4j-core-2.2.1.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
pac4j is a security framework for Java. pac4j-core prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the UserProfile class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix {#sb64} and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a RestrictedObjectInputStream is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-10-10
URL: CVE-2023-25581
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 19.0%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-76mw-6p95-x9x5
Release Date: 2024-10-10
Fix Resolution: org.pac4j:pac4j-core:4.0.0
CVE-2022-40664
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
Publish Date: 2022-10-12
URL: CVE-2022-40664
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-45x9-q6vj-cqgq
Release Date: 2022-10-12
Fix Resolution: org.apache.shiro:shiro-core:1.10.0
CVE-2022-32532
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.
Publish Date: 2022-06-28
URL: CVE-2022-32532
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 80.9%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4cf5-xmhp-3xj7
Release Date: 2022-06-28
Fix Resolution: org.apache.shiro:shiro-core:1.9.1
CVE-2021-41303
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Publish Date: 2021-09-17
URL: CVE-2021-41303
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 46.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f6jp-j6w3-w9hm
Release Date: 2021-09-17
Fix Resolution: org.apache.shiro:shiro-core:1.8.0
CVE-2020-1957
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-03-25
URL: CVE-2020-1957
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 88.6%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-26gr-cvq3-qxgf
Release Date: 2020-03-25
Fix Resolution: org.apache.shiro:shiro-core:1.5.2
CVE-2020-17523
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2021-02-03
URL: CVE-2020-17523
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 88.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v98j-7crc-wvrj
Release Date: 2021-02-03
Fix Resolution: org.apache.shiro:shiro-spring:1.7.1,org.apache.shiro:shiro-web:1.7.1,org.apache.shiro:shiro-spring-boot-starter:1.7.1
CVE-2020-17510
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-11-05
URL: CVE-2020-17510
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7cj4-gj8m-m2f7
Release Date: 2020-11-05
Fix Resolution: org.apache.shiro:shiro-spring:1.7.0
CVE-2020-11989
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-06-22
URL: CVE-2020-11989
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 84.7%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-72w9-fcj5-3fcg
Release Date: 2020-06-22
Fix Resolution: org.apache.shiro:shiro-core:1.5.3
CVE-2025-48734
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- shiro-core-1.4.0.jar
- shiro-config-ogdl-1.4.0.jar
- ❌ commons-beanutils-1.9.3.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Publish Date: 2025-05-28
URL: CVE-2025-48734
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wxr5-93ph-8wr9
Release Date: 2025-05-28
Fix Resolution: https://github.com/apache/commons-beanutils.git - commons-beanutils-2.0.0-M2-RC1,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-2.0.0-M2,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-1.11.0,org.apache.commons:commons-beanutils2:2.0.0-M2,commons-beanutils:commons-beanutils:1.11.0
CVE-2020-13933
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-08-17
URL: CVE-2020-13933
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 69.5%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2vgm-wxr3-6w2j
Release Date: 2020-08-17
Fix Resolution: org.apache.shiro:shiro-core:1.6.0
CVE-2019-12422
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-crypto-cipher-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
shiro-crypto-cipher-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-crypto-cipher/1.4.0/shiro-crypto-cipher-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- shiro-core-1.4.0.jar
- ❌ shiro-crypto-cipher-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
Publish Date: 2019-11-18
URL: CVE-2019-12422
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 54.9%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r679-m633-g7wc
Release Date: 2019-11-18
Fix Resolution: org.apache.shiro:shiro-core:1.4.2
CVE-2019-10086
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- shiro-core-1.4.0.jar
- shiro-config-ogdl-1.4.0.jar
- ❌ commons-beanutils-1.9.3.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2014-0114
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- shiro-core-1.4.0.jar
- shiro-config-ogdl-1.4.0.jar
- ❌ commons-beanutils-1.9.3.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 92.7%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-40458
Vulnerable Library - pac4j-core-2.2.1.jar
Profile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.2.1/pac4j-core-2.2.1.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ pac4j-core-2.2.1.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent.
This issue was fixed in PAC4J versions 5.7.10 and 6.4.1
Publish Date: 2026-04-17
URL: CVE-2026-40458
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-17
Fix Resolution: https://github.com/pac4j/pac4j.git - pac4j-parent-5.7.10,https://github.com/pac4j/pac4j.git - pac4j-parent-6.4.1
CVE-2023-46749
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure "blockSemicolon" is enabled (this is the default).
Publish Date: 2024-01-15
URL: CVE-2023-46749
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-46749
Release Date: 2024-01-15
Fix Resolution: org.apache.shiro:shiro-all:1.13.0, org.apache.shiro:shiro-web:1.13.0
CVE-2023-46750
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
Publish Date: 2023-12-14
URL: CVE-2023-46750
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhw5-c326-822h
Release Date: 2023-12-14
Fix Resolution (org.apache.shiro:shiro-web): 1.13.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 8.2.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-23903
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- ❌ shiro-web-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Shiro: before 2.0.7.
Users are recommended to upgrade to version 2.0.7, which fixes the issue.
The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.
Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true
Shiro 3.0.0 and later (upcoming) makes this the default.
Publish Date: 2026-02-09
URL: CVE-2026-23903
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k
Release Date: 2026-02-09
Fix Resolution (org.apache.shiro:shiro-web): 2.0.7
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.1.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-23901
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles
authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
- buji-pac4j-3.2.0.jar (Root Library)
- shiro-web-1.4.0.jar
- ❌ shiro-core-1.4.0.jar (Vulnerable Library)
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1., 2. before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only.
Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-10
URL: CVE-2026-23901
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (2.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2026/q1/149
Release Date: 2026-02-07
Fix Resolution (org.apache.shiro:shiro-core): 2.1.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.1.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Publish Date: 2023-07-24
URL: CVE-2023-34478
Threat Assessment
Exploit Maturity: High
EPSS: 0.0%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-07-24
Fix Resolution (org.apache.shiro:shiro-core): 1.12.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - pac4j-core-2.2.1.jar
Profile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.2.1/pac4j-core-2.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
pac4j is a security framework for Java.
pac4j-coreprior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of theUserProfileclass from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix{#sb64}and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although aRestrictedObjectInputStreamis in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.Publish Date: 2024-10-10
URL: CVE-2023-25581
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 19.0%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-76mw-6p95-x9x5
Release Date: 2024-10-10
Fix Resolution: org.pac4j:pac4j-core:4.0.0
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
Publish Date: 2022-10-12
URL: CVE-2022-40664
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-45x9-q6vj-cqgq
Release Date: 2022-10-12
Fix Resolution: org.apache.shiro:shiro-core:1.10.0
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with
.in the regular expression are possibly vulnerable to an authorization bypass.Publish Date: 2022-06-28
URL: CVE-2022-32532
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 80.9%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4cf5-xmhp-3xj7
Release Date: 2022-06-28
Fix Resolution: org.apache.shiro:shiro-core:1.9.1
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Publish Date: 2021-09-17
URL: CVE-2021-41303
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 46.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f6jp-j6w3-w9hm
Release Date: 2021-09-17
Fix Resolution: org.apache.shiro:shiro-core:1.8.0
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-03-25
URL: CVE-2020-1957
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 88.6%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-26gr-cvq3-qxgf
Release Date: 2020-03-25
Fix Resolution: org.apache.shiro:shiro-core:1.5.2
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2021-02-03
URL: CVE-2020-17523
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 88.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v98j-7crc-wvrj
Release Date: 2021-02-03
Fix Resolution: org.apache.shiro:shiro-spring:1.7.1,org.apache.shiro:shiro-web:1.7.1,org.apache.shiro:shiro-spring-boot-starter:1.7.1
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-11-05
URL: CVE-2020-17510
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7cj4-gj8m-m2f7
Release Date: 2020-11-05
Fix Resolution: org.apache.shiro:shiro-spring:1.7.0
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-06-22
URL: CVE-2020-11989
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 84.7%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-72w9-fcj5-3fcg
Release Date: 2020-06-22
Fix Resolution: org.apache.shiro:shiro-core:1.5.3
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Publish Date: 2025-05-28
URL: CVE-2025-48734
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wxr5-93ph-8wr9
Release Date: 2025-05-28
Fix Resolution: https://github.com/apache/commons-beanutils.git - commons-beanutils-2.0.0-M2-RC1,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-2.0.0-M2,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-1.11.0,org.apache.commons:commons-beanutils2:2.0.0-M2,commons-beanutils:commons-beanutils:1.11.0
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-08-17
URL: CVE-2020-13933
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 69.5%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2vgm-wxr3-6w2j
Release Date: 2020-08-17
Fix Resolution: org.apache.shiro:shiro-core:1.6.0
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-crypto-cipher-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
shiro-crypto-cipher-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-crypto-cipher/1.4.0/shiro-crypto-cipher-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
Publish Date: 2019-11-18
URL: CVE-2019-12422
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 54.9%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r679-m633-g7wc
Release Date: 2019-11-18
Fix Resolution: org.apache.shiro:shiro-core:1.4.2
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 92.7%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - pac4j-core-2.2.1.jar
Profile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.2.1/pac4j-core-2.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent.
This issue was fixed in PAC4J versions 5.7.10 and 6.4.1
Publish Date: 2026-04-17
URL: CVE-2026-40458
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-17
Fix Resolution: https://github.com/pac4j/pac4j.git - pac4j-parent-5.7.10,https://github.com/pac4j/pac4j.git - pac4j-parent-6.4.1
Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar
shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure "blockSemicolon" is enabled (this is the default).
Publish Date: 2024-01-15
URL: CVE-2023-46749
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-46749
Release Date: 2024-01-15
Fix Resolution: org.apache.shiro:shiro-all:1.13.0, org.apache.shiro:shiro-web:1.13.0
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
Publish Date: 2023-12-14
URL: CVE-2023-46750
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hhw5-c326-822h
Release Date: 2023-12-14
Fix Resolution (org.apache.shiro:shiro-web): 1.13.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 8.2.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Shiro: before 2.0.7.
Users are recommended to upgrade to version 2.0.7, which fixes the issue.
The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.
Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true
Shiro 3.0.0 and later (upcoming) makes this the default.
Publish Date: 2026-02-09
URL: CVE-2026-23903
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k
Release Date: 2026-02-09
Fix Resolution (org.apache.shiro:shiro-web): 2.0.7
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.1.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1., 2. before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only.
Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-10
URL: CVE-2026-23901
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (2.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2026/q1/149
Release Date: 2026-02-07
Fix Resolution (org.apache.shiro:shiro-core): 2.1.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.1.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.