CVE-2010-3863

medium

Description

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/62959

http://www.vupen.com/english/advisories/2010/2888

http://www.securityfocus.com/archive/1/514616/100/0/threaded

http://secunia.com/advisories/41989

http://osvdb.org/69067

Details

Source: Mitre, NVD

Published: 2010-11-05

Updated: 2018-10-10

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium