CVE-2023-34478

CWE-22Path Traversal9 documents7 sources
Severity
9.8CRITICAL
EPSS
0.0%
top 87.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache ShiroApache Shiro
Timeline
PublishedJul 24
Latest updateDec 10

Description

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDapache/shiro< 1.12.0+1
Mavenorg.apache.shiro:shiro-web2.0.0-alpha-12.0.0-alpha-3+1
Ubuntushiro< 1.2.4-1ubuntu0.1~esm2+1

🔴Vulnerability Details

6
OSV
shiro vulnerabilities2024-12-10
OSV
CVE-2023-34478: Apache Shiro, before 12023-07-24
GHSA
Path Traversal in Apache Shiro2023-07-24
CVEList
Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.2023-07-24
OSV
Path Traversal in Apache Shiro2023-07-24

📋Vendor Advisories

2
Ubuntu
Apache Shiro vulnerabilities2024-12-10
Debian
CVE-2023-34478: shiro - Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path trave...2023
CVE-2023-34478 (CRITICAL CVSS 9.8) | Apache Shiro | cvebase.io