| Vulnerability Name: | CVE-2010-3863 (CCN-62959) | ||||||||
| Assigned: | 2010-11-02 | ||||||||
| Published: | 2010-11-02 | ||||||||
| Updated: | 2018-10-10 | ||||||||
| Summary: | Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-22 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: CCN Type: Full-Disclosure Mailing List, Tue Nov 02 2010 CVE-2010-3863: Apache Shiro information disclosure vulnerability Source: FULLDISC Type: Exploit 20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability Source: MITRE Type: CNA CVE-2010-3863 Source: OSVDB Type: UNKNOWN 69067 Source: CCN Type: SA41989 Apache Shiro URL Path Security Bypass Vulnerability Source: SECUNIA Type: Vendor Advisory 41989 Source: CCN Type: Apache Web site Shiro Source: CCN Type: OSVDB ID: 69067 Apache Shiro URI Path Security Traversal Information Disclosure Source: BUGTRAQ Type: UNKNOWN 20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability Source: BID Type: Exploit 44616 Source: CCN Type: BID-44616 Apache Shiro Directory Traversal Vulnerability Source: VUPEN Type: UNKNOWN ADV-2010-2888 Source: XF Type: UNKNOWN shiro-filters-security-bypass(62959) Source: XF Type: UNKNOWN shiro-filters-security-bypass(62959) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||