5
CVE-2010-3863
- EPSS 54.8%
- Veröffentlicht 05.11.2010 17:00:02
- Zuletzt bearbeitet 16.06.2026 23:23:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 54.8% | 0.989 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
http://osvdb.org/69067
http://secunia.com/advisories/41989
http://www.securityfocus.com/archive/1/514616/100/0/threaded
http://www.securityfocus.com/bid/44616
http://www.vupen.com/english/advisories/2010/2888
https://exchange.xforce.ibmcloud.com/vulnerabilities/62959