CVE-2023-34478

CVE-2023-34478: Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Vendor Apache Software Foundation

Product Apache Shiro

Weakness CWE-22 · Path traversal

Published July 24, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Key dates

Disclosure timeline

July 24, 2023 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2023-34478

CWE CWE-22

Affected versions

Vendor Apache Software Foundation

Product Apache Shiro

Affected < 1.12.0

Vendor Apache Software Foundation

Product Apache Shiro

Affected < 2.0.0-alpha-3