Vulnerability Details CVE-2010-3863
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.139
EPSS Ranking 94.0%
CVSS Severity
CVSS v2 Score 5.0
References
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
- http://osvdb.org/69067
- http://secunia.com/advisories/41989
- http://www.securityfocus.com/archive/1/514616/100/0/threaded
- http://www.securityfocus.com/bid/44616
- http://www.vupen.com/english/advisories/2010/2888
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
- http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
- http://osvdb.org/69067
- http://secunia.com/advisories/41989
- http://www.securityfocus.com/archive/1/514616/100/0/threaded
- http://www.securityfocus.com/bid/44616
- http://www.vupen.com/english/advisories/2010/2888
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62959