Lucene search

GitHub Advisory DatabaseGHSA-JC7H-C423-MPJC

HistoryJan 15, 2024 - 12:30 p.m.

Apache Shiro vulnerable to path traversal

2024-01-1512:30:19

CWE-22

GitHub Advisory Database

github.com

apache

shiro

path traversal

vulnerability

authentication

bypass

update.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.2%

JSON

Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).

Affected configurations

Vulners

Node

org.apache.shiro\shiroMatchcore

CPENameOperatorVersion
org.apache.shiro:shiro-corelt2.0.0alpha4
org.apache.shiro:shiro-corelt1.13.0

CPE	Name	Operator	Version
	org.apache.shiro:shiro-core	lt	2.0.0alpha4
	org.apache.shiro:shiro-core	lt	1.13.0

References

github.com/advisories/GHSA-jc7h-c423-mpjc

lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm

nvd.nist.gov/vuln/detail/CVE-2023-46749

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.2%

JSON

Related for GHSA-JC7H-C423-MPJC