Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to carry out Apache Shiro permission bypass loophole notification, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Brief introduction of 0x01 vulnerability

On August 18, 2020, 360CERT Monitoring found that Apache Shiro issued a risk notice for Apahce Shiro privilege bypass, the vulnerability number is CVE-2020-13933, vulnerability level: high risk, vulnerability score: 8.0.

Due to a privilege bypass vulnerability in Apahce Shiro due to errors in processing authentication requests, remote attackers can send a specially crafted HTTP request, bypass the authentication process, and gain unauthorized access to the application.

In this regard, 360CERT recommends that the majority of users upgrade Apache Shiro to the latest version in time. At the same time, please do a good job of asset self-examination and prevention to avoid hacker attacks.

0x02 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment methods, threat levels, high risk impact surfaces, extensive 360CERT scores, 8.00x03 vulnerability details

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password, and session management.

The patch for the previous Apache Shiro authentication bypass vulnerability CVE-2020-11989 is flawed. In versions 1.5.3 and earlier, due to the difference between shiro and spring in handling url, there is still an authentication bypass vulnerability due to errors in processing authentication requests, remote attackers can send a specially crafted HTTP request, bypass the authentication process and gain unauthorized access to the application.

0x04 affects version

Apache Shiro < 1.6.0

0x05 repair recommendations General patching recommendations:

Upgrade to the latest version and download it at http://shiro.apache.org/download.html.

0x06 related spatial mapping data

Through surveying and mapping the assets of the whole network, it is found that Apache Shiro is widely used all over the world, as shown in the following figure.

0x07 product side solution 360city-level network security monitoring service

The QUAKE asset mapping platform of the security brain monitors such vulnerabilities by means of asset mapping technology, and users are asked to contact the relevant product area leader or (quake#360.cn) to obtain the corresponding product.

On how to carry out Apache Shiro permissions to bypass vulnerabilities notice to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.