CVE-2023-34478: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

July 24, 2023 (updated September 15, 2023)

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

References

www.openwall.com/lists/oss-security/2023/07/24/4
lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
nvd.nist.gov/vuln/detail/CVE-2023-34478

Detect and mitigate CVE-2023-34478 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →