CVE-2010-3863

Name of the Vulnerable Software and Affected Versions Apache Shiro versions prior to 1.1.0 JSecurity version 0.9.x

Description The issue allows remote attackers to bypass intended access restrictions by sending a crafted request. This is demonstrated by the "/./account/index.jsp" URI, which can be used to circumvent restrictions. The problem arises because URI paths are not properly canonicalized before being compared to entries in the shiro.ini file.

Recommendations For Apache Shiro versions prior to 1.1.0, update to version 1.1.0 or later to resolve the issue. For JSecurity version 0.9.x, consider disabling access to sensitive areas of the application until a patch or update is available, or apply configuration changes to restrict access to intended areas.