CVE-2023-46749

CWE-22Path TraversalCWE-2889 documents7 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 58.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache ShiroApache Shiro
Timeline
PublishedJan 15
Latest updateDec 10

Description

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

NVDapache/shiro< 1.13.0+1
Mavenorg.apache.shiro:shiro-core2.0.0alpha12.0.0-alpha4+1
CVEListV5apache_software_foundation/apache_shiro2.0.0-alpha-12.0.0-alpha-4+1
Debianshiro< 1.3.2-4+deb11u1+2
Ubuntushiro< 1.2.4-1ubuntu0.1~esm2+1

🔴Vulnerability Details

5
OSV
shiro vulnerabilities2024-12-10
GHSA
Apache Shiro vulnerable to path traversal2024-01-15
CVEList
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting2024-01-15
OSV
Apache Shiro vulnerable to path traversal2024-01-15
OSV
CVE-2023-46749: Apache Shiro before 12024-01-15

📋Vendor Advisories

3
Ubuntu
Apache Shiro vulnerabilities2024-12-10
Red Hat
shiro: path traversal attack may lead to authentication bypass2024-01-12
Debian
CVE-2023-46749: shiro - Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traver...2023
CVE-2023-46749 (MEDIUM CVSS 6.5) | Apache Shiro before 1.13.0 or 2.0.0 | cvebase.io