github - ghsa-3jx9-mgwx-4q83

ghsa-3jx9-mgwx-4q83

Vulnerability from github

Published

2022-05-14 02:42

Modified

2024-02-07 22:57

Summary

Apache Shiro Path Traversal vulnerability

Details

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shiro:shiro-root"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2010-3863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-07T22:57:26Z",
    "nvd_published_at": "2010-11-05T17:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.",
  "id": "GHSA-3jx9-mgwx-4q83",
  "modified": "2024-02-07T22:57:26Z",
  "published": "2022-05-14T02:42:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3863"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/shiro"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Shiro Path Traversal vulnerability"
}

cve-2010-3863

Vulnerability from cvelistv5

Published

2010-11-05 16:28

Modified

2024-08-07 03:26

Severity

Summary

References

URL	Tags
http://www.securityfocus.com/bid/44616	vdb-entry, x_refsource_BID
http://secunia.com/advisories/41989	third-party-advisory, x_refsource_SECUNIA
http://osvdb.org/69067	vdb-entry, x_refsource_OSVDB
http://www.securityfocus.com/archive/1/514616/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html	mailing-list, x_refsource_FULLDISC
https://exchange.xforce.ibmcloud.com/vulnerabilities/62959	vdb-entry, x_refsource_XF
http://www.vupen.com/english/advisories/2010/2888	vdb-entry, x_refsource_VUPEN

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website