Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zang5LW1nd3gtNHE4M84AAV40
Apache Shiro Path Traversal vulnerability
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Permalink: https://github.com/advisories/GHSA-3jx9-mgwx-4q83JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zang5LW1nd3gtNHE4M84AAV40
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 3 months ago
Identifiers: GHSA-3jx9-mgwx-4q83, CVE-2010-3863
References:
- https://nvd.nist.gov/vuln/detail/CVE-2010-3863
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
- https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888
- https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989
- https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616
- https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded
- https://github.com/advisories/GHSA-3jx9-mgwx-4q83
Affected Packages
maven:org.apache.shiro:shiro-root
Dependent packages: 0Dependent repositories: 4
Downloads:
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions:
All unaffected versions: 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.13.0, 2.0.0