WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2010-3863 Vulnerability in maven package org.apache.shiro:shiro-web

Description

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Remediation

References

http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html

http://osvdb.org/69067

http://secunia.com/advisories/41989

http://www.securityfocus.com/archive/1/514616/100/0/threaded

http://www.securityfocus.com/bid/44616

http://www.vupen.com/english/advisories/2010/2888

https://exchange.xforce.ibmcloud.com/vulnerabilities/62959

Related Vulnerabilities

CVE-2022-41928 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

CVE-2021-39151 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2023-45857 Vulnerability in npm package axios

CVE-2020-36380 Vulnerability in npm package aaptjs

CVE-2022-3978 Vulnerability in npm package nodebb

Severity

Critical

Classification

CWE-22

Tags

Exploit Vendor Advisory