shiro-web is vulnerable to Path Traversal. The vulnerability exists because the InvalidRequestFilter.java
does not properly validate the URLs, which allows an attacker to access files outside the expected directory, leading to an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
www.openwall.com/lists/oss-security/2023/07/24/4
github.com/advisories/GHSA-pmhc-2g4f-85cg
github.com/apache/shiro/commit/b67ff01cb1b94d23908ed7cfb6dfce4d16b54a02
github.com/apache/shiro/commit/c3ede3f94efb442acb0795714a022c2c121d1da0
lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
security.netapp.com/advisory/ntap-20230915-0005/