Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2010-3863 Vulnerability in maven package org.apache.shiro:shiro-web

Description

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Remediation

References

http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html

http://osvdb.org/69067

http://secunia.com/advisories/41989

http://www.securityfocus.com/archive/1/514616/100/0/threaded

http://www.securityfocus.com/bid/44616

http://www.vupen.com/english/advisories/2010/2888

https://exchange.xforce.ibmcloud.com/vulnerabilities/62959

Related Vulnerabilities

CVE-2023-24428 Vulnerability in maven package org.jenkins-ci.plugins:bitbucket-oauth

CVE-2023-34659 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-parent

CVE-2020-5258 Vulnerability in npm package dojo

CVE-2023-46998 Vulnerability in npm package bootbox

CVE-2022-36889 Vulnerability in maven package org.jenkins-ci.plugins:deployer-framework

Severity

Critical

Classification

CWE-22

Tags

Exploit Vendor Advisory