Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1., 2. before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
Weakness
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Shiro | Apache | * | 2.0.7 (excluding) |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/541.html
- https://cwe.mitre.org/data/definitions/580.html