Описание
Apache Shiro Path Traversal vulnerability
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2010-3863
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
- https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888
- https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989
- https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616
- https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
Пакеты
Наименование
org.apache.shiro:shiro-root
maven
Затронутые версииВерсия исправления
< 1.1.0
1.1.0
Связанные уязвимости
nvd
больше 15 лет назад
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
debian
больше 15 лет назад
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize ...