Moderate severityNVD Advisory· Published Nov 5, 2010· Updated Jun 16, 2026
CVE-2010-3863
CVE-2010-3863
Description
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-rootMaven | < 1.1.0 | 1.1.0 |
Affected products
3Patches
Vulnerability mechanics
References
13- archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.htmlnvdExploitWEB
- www.securityfocus.com/bid/44616nvdExploit
- secunia.com/advisories/41989nvdVendor Advisory
- github.com/advisories/GHSA-3jx9-mgwx-4q83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-3863ghsaADVISORY
- exchange.xforce.ibmcloud.com/vulnerabilities/62959nvdWEB
- web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888ghsaWEB
- web.archive.org/web/20101129043410/http://secunia.com/advisories/41989ghsaWEB
- web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616ghsaWEB
- web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threadedghsaWEB
- osvdb.org/69067nvd
- www.securityfocus.com/archive/1/514616/100/0/threadednvd
- www.vupen.com/english/advisories/2010/2888nvd
News mentions
0No linked articles in our index yet.