CVE-2023-46749

2024-01-1510:15:26

Debian Security Bug Tracker

security-tracker.debian.org

apache shiro

authentication bypass

path traversal

update

mitigation

blocksemicolon

unix

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.2%

JSON

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).

OSVersionArchitecturePackageVersionFilename
Debian12allshiro< 1.3.2-5shiro_1.3.2-5_all.deb
Debian11allshiro< 1.3.2-4+deb11u1shiro_1.3.2-4+deb11u1_all.deb
Debian10allshiro< 1.3.2-4+deb10u1shiro_1.3.2-4+deb10u1_all.deb
Debian999allshiro< 1.3.2-5shiro_1.3.2-5_all.deb
Debian13allshiro< 1.3.2-5shiro_1.3.2-5_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	shiro	< 1.3.2-5	shiro_1.3.2-5_all.deb
Debian	11	all	shiro	< 1.3.2-4+deb11u1	shiro_1.3.2-4+deb11u1_all.deb
Debian	10	all	shiro	< 1.3.2-4+deb10u1	shiro_1.3.2-4+deb10u1_all.deb
Debian	999	all	shiro	< 1.3.2-5	shiro_1.3.2-5_all.deb
Debian	13	all	shiro	< 1.3.2-5	shiro_1.3.2-5_all.deb