Path Traversal in Apache Shiro

2023-07-2421:30:39

Google

osv.dev

apache shiro

path traversal

vulnerability

authentication bypass

update software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

40.9%

JSON

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

CPENameOperatorVersion
org.apache.shiro:shiro-webeq1.5.1
org.apache.shiro:shiro-webeq1.0.0-incubating
org.apache.shiro:shiro-webeq1.2.1
org.apache.shiro:shiro-webeq1.2.4
org.apache.shiro:shiro-webeq1.11.0
org.apache.shiro:shiro-webeq1.2.2
org.apache.shiro:shiro-webeq1.5.3
org.apache.shiro:shiro-webeq1.2.3
org.apache.shiro:shiro-webeq2.0.0-alpha-2
org.apache.shiro:shiro-webeq1.4.0

Name	Operator	Version
org.apache.shiro:shiro-web	eq	1.5.1
org.apache.shiro:shiro-web	eq	1.0.0-incubating
org.apache.shiro:shiro-web	eq	1.2.1
org.apache.shiro:shiro-web	eq	1.2.4
org.apache.shiro:shiro-web	eq	1.11.0
org.apache.shiro:shiro-web	eq	1.2.2
org.apache.shiro:shiro-web	eq	1.5.3
org.apache.shiro:shiro-web	eq	1.2.3
org.apache.shiro:shiro-web	eq	2.0.0-alpha-2
org.apache.shiro:shiro-web	eq	1.4.0