Описание
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).
A flaw was found in Apache Shiro, which may allow a path traversal attack. When this issue is combined with the path rewriting feature, it can lead to an authentication bypass.
Меры по смягчению последствий
This flaw can be mitigated by making sure 'blockSemicolon' is enabled.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 3 | shiro | Out of support scope | ||
| Red Hat build of Apache Camel for Spring Boot 4 | shiro | Not affected | ||
| Red Hat build of Quarkus | org.apache.shiro/shiro-core | Not affected | ||
| Red Hat Integration Camel K 1 | shiro | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | shiro-core | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | shiro-core | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | shiro-core | Not affected | ||
| Red Hat Fuse 7.13.0 | shiro | Fixed | RHSA-2024:3354 | 23.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a p ...
Уязвимость фреймворка Apache Shiro, связанная с недостатками ограничения имени пути к каталогу с ограниченным доступом, позволяющая нарушителю обойти процесс аутентификации
EPSS
6.5 Medium
CVSS3