CVE-2023-22602: 
Java vulnerability analysis and mitigation

When using Apache Shiro before version 1.11.0 in combination with Spring Boot 2.6+, a vulnerability was discovered that could allow authentication bypass through specially crafted HTTP requests. The vulnerability was assigned CVE-2023-22602 and was disclosed on January 3, 2023. This security flaw affects systems running the Apache Shiro authentication framework in conjunction with newer versions of Spring Boot (CVE Mitre).

The vulnerability stems from a mismatch in pattern-matching techniques between Shiro and Spring Boot. While both Shiro and Spring Boot versions prior to 2.6 default to Ant style pattern matching, the discrepancy in pattern-matching approaches between newer Spring Boot versions and Shiro creates a security gap. The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NetApp Security).

Successful exploitation of this vulnerability could lead to authentication bypass, potentially allowing unauthorized access to protected resources. The impact primarily affects data integrity, as successful exploitation could result in the addition or modification of data (NetApp Security).

Two primary mitigation options are available: 1) Upgrade to Apache Shiro version 1.11.0 or later, or 2) Set the Spring Boot configuration value to 'spring.mvc.pathmatch.matching-strategy = ant_path_matcher'. This configuration change aligns the pattern-matching strategies between the two frameworks (CVE Mitre).