oss-security - CVE-2023-46749: Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <a31603f8-fd7f-d1af-31bc-9abaffb6adba@apache.org>
Date: Fri, 12 Jan 2024 16:21:39 +0000
From: Brian Demers <bdemers@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-46749: Apache Shiro before 1.130 or 2.0.0-alpha-4, may be
 susceptible to a path traversal attack that results in an authentication
 bypass when used together with path rewriting  

Severity: low

Affected versions:

- Apache Shiro before 1.13.0
- Apache Shiro 2.0.0-alpha-1 before 2.0.0-alpha-4

Description:

Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting 

Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).

References:

https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-46749

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.