Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Description
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Shiro before 1.13.0 or 2.0.0-alpha-4 allows authentication bypass via path traversal when path rewriting is used.
Vulnerability
Overview
CVE-2023-46749 is a path traversal vulnerability in Apache Shiro affecting versions before 1.13.0 or 2.0.0-alpha-4. The issue arises when path rewriting is enabled, allowing specially crafted requests to traverse directory paths and bypass authentication checks [1].
Exploitation
Details
An attacker can exploit this by sending an HTTP request with path traversal sequences (e.g., ../) in the URL when combined with path rewriting configurations. No authentication is required to trigger the vulnerability, as it occurs before access control checks are applied. The attack takes advantage of incomplete sanitization or handling of semicolons in the path; enabling the blockSemicolon configuration (which is the default) prevents exploitation [1].
Impact
Successful exploitation allows an attacker to bypass authentication and access protected resources or endpoints that should require valid credentials. This can lead to unauthorized data access, privilege escalation, or further compromise of the application [1].
Mitigation
Users should upgrade to Apache Shiro 1.13.0, 2.0.0-alpha-4, or later. Alternatively, ensuring the blockSemicolon setting is enabled (which is the default setting) will block the path traversal attack [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.13.0 | 1.13.0 |
org.apache.shiro:shiro-coreMaven | >= 2.0.0alpha1, < 2.0.0-alpha4 | 2.0.0-alpha4 |
Affected products
2- Apache Software Foundation/Apache Shirov5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jc7h-c423-mpjcghsaADVISORY
- lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wmghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-46749ghsaADVISORY
- security.netapp.com/advisory/ntap-20241108-0002ghsaWEB
News mentions
0No linked articles in our index yet.