CVE-2022-32532

unknown

Published 2022-06-30 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

—

Description

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-32532

OS impact

OS	Version	Status
debian	bookworm	affected
debian	bullseye	affected
debian	sid	affected
debian	trixie	affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.shiro:shiro-core	`<1.9.1`	`1.9.1`

References

https://nvd.nist.gov/vuln/detail/CVE-2022-32532
https://github.com/apache/shiro
https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
https://security-tracker.debian.org/tracker/CVE-2022-32532

Verify integrity in audit chain (admin only). AS-IS.