Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2010-3863 Vulnerability in maven package org.apache.shiro:shiro-all

Description

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Remediation

References

http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html

http://osvdb.org/69067

http://secunia.com/advisories/41989

http://www.securityfocus.com/archive/1/514616/100/0/threaded

http://www.securityfocus.com/bid/44616

http://www.vupen.com/english/advisories/2010/2888

https://exchange.xforce.ibmcloud.com/vulnerabilities/62959

Related Vulnerabilities

CVE-2020-7742 Vulnerability in npm package simpl-schema

CVE-2023-50720 Vulnerability in maven package org.xwiki.platform:xwiki-platform-search-solr-api

CVE-2021-40663 Vulnerability in npm package deep.assign

CVE-2014-3577 Vulnerability in maven package org.apache.httpcomponents:httpclient

CVE-2020-36649 Vulnerability in maven package org.webjars.npm:papaparse

Severity

Critical

Classification

CWE-22

Tags

Exploit Vendor Advisory