[MAVEN:GHSA-3JX9-MGWX-4Q83] Apache Shiro Path Traversal vulnerability

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Package	Affected Version
pkg:maven/org.apache.shiro/shiro-root	< 1.1.0

Package	Fixed Version
pkg:maven/org.apache.shiro/shiro-root	= 1.1.0

ID: MAVEN:GHSA-3JX9-MGWX-4Q83
Severity: moderate
URL: https://github.com/advisories/GHSA-3jx9-mgwx-4q83
Published: 2022-05-14T02:42:51
(2 years ago)
Modified: 2024-02-07T22:57:27
(7 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2010-3863
			https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
			http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
			https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888
			https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989
			https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616
			https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded
			https://github.com/advisories/GHSA-3jx9-mgwx-4q83

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.shiro/shiro-root	org.apache.shiro	shiro-root	< 1.1.0
Fixed	pkg:maven/org.apache.shiro/shiro-root	org.apache.shiro	shiro-root	= 1.1.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date