Directory Traversal
Closed this issue · 0 comments
Directory Traversal
Vulnerable module: org.apache.shiro:shiro-web
Introduced through: org.apache.shiro:shiro-web@1.4.0
Detailed paths
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.apache.shiro:shiro-web@1.4.0
Overview
org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
Affected versions of this package are vulnerable to Directory Traversal. The requestURI : /resource/menus and resource/menus/ can both access the server resource, but the pathPattern match /resource/menus can not match resource/menus/. A user can use requestURI + "/" to simply bypass the chain filter, thereby bypassing shiro protect and gaining access to the server resources.
Directory Traversal vulnerability report