Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSpringSource Security TeamPACKETSTORM:95484
HistoryNov 04, 2010 - 12:00 a.m.

Apache Shiro Information Disclosure

2010-11-0400:00:00
SpringSource Security Team
packetstormsecurity.com
29

0.675 Medium

EPSS

Percentile

97.6%

JSON
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
CVE-2010-3863: Apache Shiro information disclosure vulnerability  
  
Severity: Important  
  
Vendor:  
The Apache Software Foundation  
  
Versions Affected:  
Apache Shiro 1.0.0-incubating  
The unsupported JSecurity 0.9.x versions are also affected  
  
Description:  
Shiro's path-based filter chain mechanism did not normalize request paths  
before performing path-matching logic. The result is that Shiro filter  
chain matching logic was susceptible to potential path traversal attacks.  
  
Mitigation:  
All users should upgrade to 1.1.0  
  
Example:  
For a shiro.ini [urls] section entry:  
  
/account/** = authc, ...  
/** = anon  
  
This states that all requests to the /account/** pages should be  
authenticated (as indicated by the 'authc' (authentication) filter) in the  
chain definition.  
  
A malicious request could be sent:  
  
GET /./account/index.jsp HTTP/1.1  
  
And access would be granted because the path was not normalized to  
/account/index.jsp before evaluating the path for a match.  
  
Credit:  
This issue was discovered by Luke Taylor of SpringSource.  
  
References:  
http://shiro.apache.org/configuration.html  
  
Les Hazlewood  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.14 (FreeBSD)  
  
iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6  
NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw  
2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6  
+3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK  
nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz  
FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF  
d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda  
Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/  
pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL  
aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q  
Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa  
7MKcZauaP3nXPuAYVZBc  
=fr+j  
-----END PGP SIGNATURE-----  
`

Related

nessus 1
debiancve 1
securityvulns 2
prion 1
osv 1
cve 1
github 1
nessus
nessus
Apache Shiro URI Path Security Directory Traversal Information Disclosure
2010-11-15 00:00:00
debiancve
debiancve
CVE-2010-3863
2010-11-05 17:00:00
securityvulns
securityvulns
Apache Shiro protection bypass
2010-11-04 00:00:00
CVE-2010-3863: Apache Shiro information disclosure vulnerability
2010-11-04 00:00:00
prion
prion
Design/Logic Flaw
2010-11-05 17:00:00
osv
osv
Apache Shiro Path Traversal vulnerability
2022-05-14 02:42:51
cve
cve
CVE-2010-3863
2010-11-05 17:00:00
github
github
Apache Shiro Path Traversal vulnerability
2022-05-14 02:42:51

0.675 Medium

EPSS

Percentile

97.6%

JSON
Related for PACKETSTORM:95484
nessus1debiancve1securityvulns2prion1osv1cve1github1