CVE-2010-3863: Path Traversal
First published: Fri Nov 05 2010(Updated: )
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jsecurity Jsecurity | =0.9.0 | |
| Apache Shiro | <=1.0.0 | |
| maven/org.apache.shiro:shiro-root | <1.1.0 | 1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
- http://www.securityfocus.com/bid/44616
- http://secunia.com/advisories/41989
- http://osvdb.org/69067
- http://www.vupen.com/english/advisories/2010/2888
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
- http://www.securityfocus.com/archive/1/514616/100/0/threaded
- https://nvd.nist.gov/vuln/detail/CVE-2010-3863
- https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888
- https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989
- https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616
- https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded
- https://github.com/advisories/GHSA-3jx9-mgwx-4q83 (Advisory)
- collector/nvd-historical
- collector/nvd-index
- agent/first-publish-date
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3jx9-mgwx-4q83
- alias/CVE-2010-3863
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/severity
- agent/weakness
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/jsecurity
- canonical/jsecurity jsecurity
- version/jsecurity jsecurity/0.9.0
- vendor/apache
- canonical/apache shiro
- version/apache shiro/1.0.0
- package-manager/maven