CVE-2022-32532 — AI Deep Analysis Summary

🚨 **Essence**: Apache Shiro < 1.9.1 has a security flaw. The `RegexRequestMatcher` is misconfigured on certain servlet containers. 📉 **Consequences**: Security bypass.…

🛡️ **Root Cause**: CWE-863 (Incorrect Authorization). The core flaw lies in how `RegExPatternMatcher` handles request matching. It allows for configuration errors that lead to authorization bypasses.

🏢 **Affected**: Apache Software Foundation. 📦 **Product**: Apache Shiro. 📅 **Version**: All versions **prior to 1.9.1**. If you are running 1.9.0 or lower, you are at risk!

💀 **Attacker Capabilities**: Bypass token/header verification. 📂 **Access**: Gain unauthorized access to interfaces (e.g., `/permit/*`). 🗝️ **Privilege**: Access data or functions meant only for authenticated users.

⚖️ **Threshold**: Medium. 📝 **Config**: Requires specific setup using `RegExPatternMatcher`. 🚪 **Auth**: Often involves bypassing Token header checks. If the dev uses regex matching incorrectly, the door is open.

🔓 **Public Exp?**: YES. 📂 **PoC**: Available on GitHub (e.g., `Lay0us1/CVE-2022-32532`). 💡 **Note**: The PoC shows one condition, but the vulnerability exists whenever `RegExPatternMatcher` is used improperly.

🔍 **Self-Check**: Scan for Apache Shiro versions < 1.9.1. 🔎 **Code Review**: Look for usage of `RegExPatternMatcher` or `RegexRequestMatcher`.…

🩹 **Fix**: Upgrade to **Apache Shiro 1.9.1** or later. 📢 **Official**: The vendor has released the fixed version. Patching is the primary mitigation strategy.

🚧 **No Patch?**: If you can't upgrade immediately: 🚫 **Disable**: Avoid using `RegExPatternMatcher` if possible.…

🔥 **Urgency**: HIGH. 📅 **Date**: Published June 2022. ⚡ **Risk**: Easy to exploit if regex matching is misconfigured. 🏃 **Action**: Patch ASAP or implement strict workarounds. Don't ignore this!