Lucene search

GitHub Advisory DatabaseGHSA-3JX9-MGWX-4Q83

HistoryMay 14, 2022 - 2:42 a.m.

Apache Shiro Path Traversal vulnerability

2022-05-1402:42:51

CWE-22

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.674 Medium

EPSS

Percentile

98.0%

JSON

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Affected configurations

Vulners

Node

org.apache.shiro\shiroMatchroot

CPENameOperatorVersion
org.apache.shiro:shiro-rootlt1.1.0

CPE	Name	Operator	Version
	org.apache.shiro:shiro-root	lt	1.1.0

References

archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html

exchange.xforce.ibmcloud.com/vulnerabilities/62959

github.com/advisories/GHSA-3jx9-mgwx-4q83

nvd.nist.gov/vuln/detail/CVE-2010-3863

web.archive.org/web/20101120091718/www.vupen.com/english/advisories/2010/2888

web.archive.org/web/20101129043410/secunia.com/advisories/41989

web.archive.org/web/20110929165859/www.securityfocus.com/bid/44616

web.archive.org/web/20161017000748/www.securityfocus.com/archive/1/514616/100/0/threaded

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.674 Medium

EPSS

Percentile

98.0%

JSON

Related for GHSA-3JX9-MGWX-4Q83