oss-security - CVE-2023-34478: Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <29582adc-1944-9191-ec59-3d1ee26d3cad@apache.org>
Date: Mon, 24 Jul 2023 18:06:06 +0000
From: Brian Demers <bdemers@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-34478: Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may
 be susceptible to a path traversal attack when used together with APIs or
 other web frameworks that route requests based on non-normalized requests.

Severity: important

Affected versions:

- Apache Shiro before 1.12.0
- Apache Shiro before 2.0.0-alpha-3

Description:

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Credit:

tkswifty (finder)
Ha1c9on (finder)

References:

https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-34478

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.