org.apache.shiro:shiro-web@1.2.6 vulnerabilities

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Path Traversal via the path rewriting feature. An attacker can bypass authentication controls by exploiting the path traversal flaw.

Upgrade org.apache.shiro:shiro-web to version 1.13.0, 2.0.0-alpha-4 or higher.

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') via the FORM authentication feature. An attacker can redirect users to an untrusted site by manipulating the URL parameters.

Upgrade org.apache.shiro:shiro-web to version 1.13.0, 2.0.0-alpha-4 or higher.

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Directory Traversal when used together with APIs or other web frameworks that route non-normalized requests. An attacker can use this to access unintended locations on the target filesystem by sending malicious requests.

Upgrade org.apache.shiro:shiro-web to version 1.12.0 or higher.

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass. when using with Spring, a specially crafted HTTP request may cause an authentication bypass.

Upgrade org.apache.shiro:shiro-web to version 1.7.1 or higher.

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass via a specially crafted HTTP request.

Upgrade org.apache.shiro:shiro-web to version 1.6.0 or higher.

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass. When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Upgrade org.apache.shiro:shiro-web to version 1.5.3 or higher.

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass when using Apache Shiro with Spring dynamic controllers. Then by creating a specially crafted request, it may cause an authentication bypass.

Upgrade org.apache.shiro:shiro-web to version 1.5.2 or higher.

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Directory Traversal. The requestURI : /resource/menus and resource/menus/  can both access the server resource, but the pathPattern match /resource/menus can not match resource/menus/. A user can use requestURI + "/" to simply bypass the chain filter, thereby bypassing shiro protect and gaining access to the server resources.

Upgrade org.apache.shiro:shiro-web to version 1.5.0 or higher.

org.apache.shiro:shiro-web Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.