CVE-2010-3863 — Apache Shiro Path Traversal vulnerability

Description

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

How to fix CVE-2010-3863

To remediate CVE-2010-3863, upgrade the affected package to a fixed version below.

Maven/org.apache.shiro:shiro-root—upgrade to 1.1.0 or later

Is CVE-2010-3863 being exploited?

Likely — EPSS is 54.8%, placing CVE-2010-3863 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 1.1.0

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-3863
PATCHgithub.com/apache/shiro
WEBarchives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
WEBexchange.xforce.ibmcloud.com/vulnerabilities/62959