CVE-2023-46749

2024-01-1510:15:26

CWE-22

[email protected]

web.nvd.nist.gov

apache shiro

path traversal

authentication bypass

update

mitigation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.7

Confidence

High

EPSS

Percentile

10.3%

JSON

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).

Affected configurations

Nvd

Node

apacheshiroRange<1.13.0

apacheshiroMatch2.0.0alpha1

apacheshiroMatch2.0.0alpha2

apacheshiroMatch2.0.0alpha3

VendorProductVersionCPE
apacheshiro*cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*
apacheshiro2.0.0cpe:2.3:a:apache:shiro:2.0.0:alpha1:*:*:*:*:*:*
apacheshiro2.0.0cpe:2.3:a:apache:shiro:2.0.0:alpha2:*:*:*:*:*:*
apacheshiro2.0.0cpe:2.3:a:apache:shiro:2.0.0:alpha3:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	shiro	*	cpe:2.3:a:apache:shiro::::::::
apache	shiro	2.0.0	cpe:2.3:a:apache:shiro:2.0.0:alpha1::::::
apache	shiro	2.0.0	cpe:2.3:a:apache:shiro:2.0.0:alpha2::::::
apache	shiro	2.0.0	cpe:2.3:a:apache:shiro:2.0.0:alpha3::::::