First published: Fri Jan 12 2024(Updated: )
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Shiro | <1.13.0 | |
Apache Shiro | =2.0.0-alpha1 | |
Apache Shiro | =2.0.0-alpha2 | |
Apache Shiro | =2.0.0-alpha3 | |
maven/org.apache.shiro:shiro-core | >=2.0.0alpha1<2.0.0alpha4 | 2.0.0-alpha4 |
maven/org.apache.shiro:shiro-core | <1.13.0 | 1.13.0 |
IBM Cognos Analytics | <=12.0.0-12.0.2 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
redhat/shiro | <1.13.0 | 1.13.0 |
redhat/shiro 2.0.0-alpha | <4 | 4 |
debian/shiro | 1.3.2-4+deb11u1 1.3.2-5 | |
<1.13.0 | ||
=2.0.0-alpha1 | ||
=2.0.0-alpha2 | ||
=2.0.0-alpha3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.