CVE-2010-3863: Path Traversal
First published: Fri Nov 05 2010(Updated: )
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.shiro:shiro-root | <1.1.0 | 1.1.0 |
| Jsecurity | =0.9.0 | |
| Apache Shiro | <=1.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
- http://www.securityfocus.com/bid/44616
- http://secunia.com/advisories/41989
- http://osvdb.org/69067
- http://www.vupen.com/english/advisories/2010/2888
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
- http://www.securityfocus.com/archive/1/514616/100/0/threaded
- https://nvd.nist.gov/vuln/detail/CVE-2010-3863
- https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888
- https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989
- https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616
- https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded
- https://github.com/advisories/GHSA-3jx9-mgwx-4q83 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2010-3863?
CVE-2010-3863 is considered critical due to its potential to allow unauthorized access to sensitive resources.
How do I fix CVE-2010-3863?
To fix CVE-2010-3863, upgrade Apache Shiro to version 1.1.0 or later, or JSecurity to version 0.9.1 or later.
What systems are affected by CVE-2010-3863?
CVE-2010-3863 affects Apache Shiro versions before 1.1.0 and JSecurity 0.9.x.
What kind of attack does CVE-2010-3863 allow?
CVE-2010-3863 allows remote attackers to bypass access restrictions through crafted URI paths.
Is there a workaround for CVE-2010-3863?
There is no known effective workaround for CVE-2010-3863, so upgrading is strongly recommended.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3jx9-mgwx-4q83
- alias/CVE-2010-3863
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/weakness
- agent/softwarecombine
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/maven
- vendor/jsecurity
- canonical/jsecurity
- version/jsecurity/0.9.0
- vendor/apache
- canonical/apache shiro
- version/apache shiro/1.0.0