CVE-2010-3863

EPSS 12.3%

Apache Shiro Path Traversal vulnerability

發布日:2022/5/14修改日:2024/12/4

描述

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

受影響套件(1)

Maven/org.apache.shiro:shiro-rootfrom 0, < 1.1.0

參考連結(8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2010-3863
PATCHhttps://github.com/apache/shiro
WEBhttp://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/62959
WEBhttps://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888
WEBhttps://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989
WEBhttps://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616
WEBhttps://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded