Miggo Logo
Miggo Vulnerability Database
CVE-2023-34478

CVE-2023-34478: Path Traversal in Apache Shiro

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34478
GHSA ID
GHSA-pmhc-2g4f-85cg
EPSS Score
0.11882%
CWE
CWE-22
Published
7/24/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.shiro:shiro-webmaven< 1.12.01.12.0
org.apache.shiro:shiro-webmaven>= 2.0.0-alpha-1, < 2.0.0-alpha-32.0.0-alpha-3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing path traversal checks in request validation. The patch added: 1) containsTraversal() with isNormalized() path checks, 2) FORWARDSLASH and PERIOD pattern detection, and 3) blockTraversal configuration. Pre-patch versions lacked these protections in the validation flow executed by isValid() and isAccessAllowed(). The test cases in InvalidRequestFilterTest.groovy confirm these functions were vulnerable to various traversal payloads before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** S*iro, ***or* *.**.* or *.*.*-*lp**-*, m*y ** sus**pti*l* to * p*t* tr*v*rs*l *tt**k t**t r*sults in *n *ut**nti**tion *yp*ss w**n us** to**t**r wit* *PIs or ot**r w** *r*m*works t**t rout* r*qu*sts **s** on non-norm*liz** r*qu*sts. Miti**tio

Reasoning

T** vuln*r**ility st*ms *rom missin* p*t* tr*v*rs*l ****ks in r*qu*st v*li**tion. T** p*t** *****: *) `*ont*insTr*v*rs*l()` wit* `isNorm*liz**()` p*t* ****ks, *) *ORW*R*SL*S* *n* P*RIO* p*tt*rn **t**tion, *n* *) *lo*kTr*v*rs*l *on*i*ur*tion. Pr*-p*t*