Is CVE-2020-11989 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 24%.

What products does CVE-2020-11989 affect?

Tracked products affected include Shiro. Check the version you run to see whether it is affected.

How do I fix CVE-2020-11989?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2020-11989

Q: What is CVE-2020-11989?

CVE-2020-11989 is a critical-severity software vulnerability with a CVSS score of 9.8. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

CRITICAL severity · CVSS 9.8

9.8CVSS CRITICAL

Summary

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)24%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Shiro

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3EAdvisory
https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E
https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E
https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E