org.apache.shiro:shiro-web 1.0.0-incubating vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shiro:shiro-web package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Path Traversal org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Path Traversal via the path rewriting feature. An attacker can bypass authentication controls by exploiting the path traversal flaw. How to fix Path Traversal? Upgrade `org.apache.shiro:shiro-web` to version 1.13.0, 2.0.0-alpha-4 or higher.	[,1.13.0)[2.0.0-alpha-1,2.0.0-alpha-4)
M URL Redirection to Untrusted Site ('Open Redirect') org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') via the `FORM` authentication feature. An attacker can redirect users to an untrusted site by manipulating the URL parameters. How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade `org.apache.shiro:shiro-web` to version 1.13.0, 2.0.0-alpha-4 or higher.	[,1.13.0)[2.0.0-alpha-1,2.0.0-alpha-4)
C Directory Traversal org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Directory Traversal when used together with APIs or other web frameworks that route non-normalized requests. An attacker can use this to access unintended locations on the target filesystem by sending malicious requests. How to fix Directory Traversal? Upgrade `org.apache.shiro:shiro-web` to version 1.12.0 or higher.	[,1.12.0)
H Authentication Bypass org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass. when using with Spring, a specially crafted HTTP request may cause an authentication bypass. How to fix Authentication Bypass? Upgrade `org.apache.shiro:shiro-web` to version 1.7.1 or higher.	[,1.7.1)
H Authentication Bypass org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass via a specially crafted HTTP request. How to fix Authentication Bypass? Upgrade `org.apache.shiro:shiro-web` to version 1.6.0 or higher.	[,1.6.0)
C Authentication Bypass org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass. When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. How to fix Authentication Bypass? Upgrade `org.apache.shiro:shiro-web` to version 1.5.3 or higher.	[,1.5.3)
M Authentication Bypass org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass when using Apache Shiro with Spring dynamic controllers. Then by creating a specially crafted request, it may cause an authentication bypass. How to fix Authentication Bypass? Upgrade `org.apache.shiro:shiro-web` to version 1.5.2 or higher.	[,1.5.2)
M Directory Traversal org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Directory Traversal. The `requestURI : /resource/menus` and `resource/menus/` can both access the server resource, but the `pathPattern` match `/resource/menus` can not match `resource/menus/`. A user can use `requestURI + "/"` to simply bypass the chain filter, thereby bypassing shiro protect and gaining access to the server resources. How to fix Directory Traversal? Upgrade `org.apache.shiro:shiro-web` to version 1.5.0 or higher.	[,1.5.0)
H Improper Access Control `org.apache.shiro:shiro-web` Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.	[,1.3.2)
M Directory Traversal `org.apache.shiro:shiro-web` Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.	[,1.1.0)

Vulnerability

Vulnerable Version

Path Traversal