Moderate severityNVD Advisory· Published Nov 5, 2010· Updated Apr 29, 2026
CVE-2010-3863
CVE-2010-3863
Description
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-rootMaven | < 1.1.0 | 1.1.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.htmlnvdExploitWEB
- www.securityfocus.com/bid/44616nvdExploit
- secunia.com/advisories/41989nvdVendor Advisory
- github.com/advisories/GHSA-3jx9-mgwx-4q83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-3863ghsaADVISORY
- exchange.xforce.ibmcloud.com/vulnerabilities/62959nvdWEB
- web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888ghsaWEB
- web.archive.org/web/20101129043410/http://secunia.com/advisories/41989ghsaWEB
- web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616ghsaWEB
- web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threadedghsaWEB
- osvdb.org/69067nvd
- www.securityfocus.com/archive/1/514616/100/0/threadednvd
- www.vupen.com/english/advisories/2010/2888nvd
News mentions
0No linked articles in our index yet.