Apache Shiro Path Traversal Vulnerability

Apache Shiro Path Traversal Vulnerability

According to the vulnerability report that has been released on 25th of July; A critical vulnerability has been identified in Apache Shiro which can result in an authentication bypass, potentially putting sensitive data at risk.

The vulnerability is a path traversal vulnerability, which means potential attackers can exploit it by sending a specially crafted request that contains malicious path information. This malicious path information which may be used to access sensitive data or files containing passwords, credit card numbers, or other personal information. The attacker could also use the vulnerability to gain control of the application or launch other attacks. (CVE-2023-34478)

Affected Systems

-

IoC’s

-

Recommended Solution(s)

Apache Shiro users are urged to update their Apache Shiro framework to versions 1.12.0 or later or 2.0.0-alpha-3 or later.

Mitigations

Users who are unable to update to the latest version of Apache Shiro are advised to take the following steps in order to protect their applications:

-Disable the use of non-normalized requests in the application.
-Implement input validation to filter out malicious path information.
-Use a web application firewall (WAF) to block malicious requests.

CVE / CWE

CVE-2023-34478

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2023-34478
• https://securityonline.info/cve-2023-34478-apache-shiro-path-traversal-vulnerability/
• http://www.openwall.com/lists/oss-security/2023/07/24/4
• https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.