CVE-2023-22602 - Authentication Bypass

Severity: None2023-02-14

Security Advisories


When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.

The Oxygen products incorporate Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v25.0.2 and olderNone N/A
Oxygen Content Fusion v5.0.3 and olderNone N/A





Severity: High

CVSS Score: 7.5

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-22602 vulnerability description. However, the Oxygen products does not use Apache Shiro with Spring Boot. For that reason, our products are not affected by this vulnerability.

List of Security Advisories