CVE-2010-3863:jsecurity, shiro: Apache Shiro before 1.1.0, and JSecurity 0.9.x, doe...

VRDA Feed by

Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis

[ about VRDA Feed | JPCERT/CC ]

Vulnerability Analysis Result (Revision No : 1)

[ Download XML ]

CVE-2010-3863

jsecurity, shiro: Apache Shiro before 1.1.0, and JSecurity 0.9.x, doe...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3863

Original

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Translation (Show)

About This Analysis Information

Analysis Information Provider:

NIST NVD

First Published:

2010-11-05

Source Information Category:

Advisory, Alert

Last Updated:

2010-11-08

Affected Product Tags

cpe:/a:apache:shiro:1.0.0 and previous versions

cpe:/a:jsecurity:jsecurity:0.9.0

Vulnerability Analysis Results

[Access Vector] ^[?]

Undefined^[?]

Local^[?]

Adjacent Network^[?]

Network^[?]

[Access Complexit] ^[?]

Undefined^[?]

High^[?]

Medium^[?]

Low^[?]

[Authentication] ^[?]

Undefined^[?]

Multiple^[?]

Single^[?]

None^[?]

[Confidentiality Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Integrity Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Availability Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

Alternatives

References

BID 44616

BUGTRAQ 20101103 CVE-2010-3863: Apache Shiro information disclosure vulnerability

FULLDISC 20101102 CVE-2010-3863: Apache Shiro information disclosure vulnerability

SECUNIA 41989

Vulnerability Type Path Traversal (CWE-22)

XF shiro-filters-security-bypass(62959)