CVE-2023-46749

CVE-2023-46749: Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

Vendor Apache Software Foundation

Product Apache Shiro

Weakness CWE-22 · Path traversal

Published January 15, 2024

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).

Key dates

Disclosure timeline

January 15, 2024 CVE published

November 3, 2025 Record updated

Identifiers

CVE CVE-2023-46749

CWE CWE-22

Affected versions

Vendor Apache Software Foundation

Product Apache Shiro

Affected < 1.13.0

Vendor Apache Software Foundation

Product Apache Shiro

Affected ≥ 2.0.0-alpha-1 and < 2.0.0-alpha-4