High severity7.5NVD Advisory· Published Sep 20, 2016· Updated May 6, 2026

CVE-2016-6802

Description

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.shiro:shiro-allMaven	< 1.3.2	1.3.2
org.apache.shiro:shiro-webMaven	< 1.3.2	1.3.2

Affected products

Apache/Shiro
cpe:2.3:a:apache:shiro:1.3.1:*:*:*:*:*:*:*

Patches

b15ab927709c

Added fix to adjust how the servlet context path is handled

https://github.com/apache/shiroBrian DemersSep 9, 2016via ghsa

commit

2 files changed · +161 −2

web/src/main/java/org/apache/shiro/web/util/WebUtils.java+3 −2 modified

@@ -248,11 +248,12 @@ public static String getContextPath(HttpServletRequest request) {
         if (contextPath == null) {
             contextPath = request.getContextPath();
         }
+        contextPath = normalize(decodeRequestString(request, contextPath));
         if ("/".equals(contextPath)) {
-            // Invalid case, but happens for includes on Jetty: silently adapt it.
+            // the normalize method will return a "/" and includes on Jetty, will also be a "/".
             contextPath = "";
         }
-        return decodeRequestString(request, contextPath);
+        return contextPath;
     }
 
     /**

web/src/test/groovy/org/apache/shiro/web/util/WebUtilsTest.groovy+158 −0 added

@@ -0,0 +1,158 @@
+package org.apache.shiro.web.util
+
+import org.junit.Assert
+import org.junit.Test
+
+import javax.servlet.http.HttpServletRequest
+
+import static org.easymock.EasyMock.*
+import static org.junit.Assert.*
+
+/**
+ * Tests for {@link WebUtils}.
+ */
+public class WebUtilsTest {
+
+    @Test
+    void testGetContextPathIncludes() {
+        def request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn("/")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn("")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn("/context-path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context-path", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn("//context-path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context-path", WebUtils.getContextPath(request)
+        verify request
+    }
+
+    @Test
+    void testGetContextPath() {
+
+        def request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("/")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("/context-path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context-path", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("//context-path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context-path", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("/context%20path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context path", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("/c%6Fntext%20path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context path", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("/context path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context path", WebUtils.getContextPath(request)
+        verify request
+
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("/context%2525path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        assertEquals "/context%25path", WebUtils.getContextPath(request)
+        verify request
+
+        // non visible character's are NOT normalized, such as a backspace
+        request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null)
+        expect(request.getContextPath()).andReturn("/context-%08path")
+        expect(request.getCharacterEncoding()).andReturn("UTF-8")
+        replay request
+        def expected = "/context-" + (char) 0x08 + "path"
+        assertEquals expected, WebUtils.getContextPath(request)
+        verify request
+
+    }
+
+
+    @Test
+    void testGetPathWithinApplication() {
+
+        doTestGetPathWithinApplication("/", "/foobar", "/foobar");
+        doTestGetPathWithinApplication("", "/foobar", "/foobar");
+        doTestGetPathWithinApplication("", "foobar", "/foobar");
+        doTestGetPathWithinApplication("/", "foobar", "/foobar");
+        doTestGetPathWithinApplication("//", "foobar", "/foobar");
+        doTestGetPathWithinApplication("//", "//foobar", "/foobar");
+        doTestGetPathWithinApplication("/context-path", "/context-path/foobar", "/foobar");
+        doTestGetPathWithinApplication("/context-path", "/context-path/foobar/", "/foobar/");
+        doTestGetPathWithinApplication("//context-path", "//context-path/foobar", "/foobar");
+        doTestGetPathWithinApplication("//context-path", "//context-path//foobar", "/foobar");
+        doTestGetPathWithinApplication("//context-path", "//context-path/remove-one/remove-two/../../././/foobar", "/foobar");
+        doTestGetPathWithinApplication("//context-path", "//context-path//../../././/foobar", null);
+        doTestGetPathWithinApplication("/context%2525path", "/context%2525path/foobar", "/foobar");
+        doTestGetPathWithinApplication("/c%6Fntext%20path", "/c%6Fntext%20path/foobar", "/foobar");
+        doTestGetPathWithinApplication("/context path", "/context path/foobar", "/foobar");
+
+    }
+
+    void doTestGetPathWithinApplication(String contextPath, String requestUri, String expectedValue) {
+
+        def request = createMock(HttpServletRequest)
+        expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(contextPath)
+        expect(request.getAttribute(WebUtils.INCLUDE_REQUEST_URI_ATTRIBUTE)).andReturn(requestUri)
+        expect(request.getCharacterEncoding()).andReturn("UTF-8").times(2)
+        replay request
+        assertEquals expectedValue, WebUtils.getPathWithinApplication(request)
+        verify request
+    }
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.htmlnvdThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/92947nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-4q2v-j639-cp7pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-6802ghsaADVISORY
github.com/apache/shiro/commit/b15ab927709ca18ea4a02538be01919a19ab65afghsaWEB
issues.apache.org/jira/browse/SHIRO-584ghsaWEB
packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.htmlghsaWEB
www.securityfocus.com/archive/1/539397/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.011
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000