CVE-2010-3863
N/A
N/A
Summary
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://www.securityfocus.com/bid/44616
- http://secunia.com/advisories/41989
- http://osvdb.org/69067
- http://www.securityfocus.com/archive/1/514616/100/0/threaded
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
- http://www.vupen.com/english/advisories/2010/2888
References
- http://www.securityfocus.com/bid/44616
- http://secunia.com/advisories/41989
- http://osvdb.org/69067
- http://www.securityfocus.com/archive/1/514616/100/0/threaded
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
- http://www.vupen.com/english/advisories/2010/2888
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.