Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-3863

CWE-22 — Path Traversal6 documents6 sources

Severity

5.0MEDIUM

EPSS

13.2%

top 5.86%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Shiro Jsecurity Jsecurity

Timeline

PublishedNov 5

Latest updateMay 14

Description

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.apache.shiro:shiro-root< 1.1.0

▶NVDapache/shiro1.0.0

▶NVDjsecurity/jsecurity0.9.0

🔴Vulnerability Details

OSV

Apache Shiro Path Traversal vulnerability↗2022-05-14

▶

GHSA

Apache Shiro Path Traversal vulnerability↗2022-05-14

▶

CVEList

CVE-2010-3863: Apache Shiro before 1↗2010-11-05

▶

💥Exploits & PoCs

Exploit-DB

Apache Shiro - Directory Traversal↗2010-11-02

▶

📋Vendor Advisories

Debian

CVE-2010-3863: shiro - Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths ...↗2010

▶