Apache Shiro prior to 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote malicious users to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache shiro |
||
jsecurity jsecurity 0.9.0 |