CVE-2023-34478

CRITICAL EXPLOITED

Apache Shiro < 1.12.0 - Path Traversal and Authentication Bypass via Non-Normalized Request Routing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-34478 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including shoucheng3.

AI-analyzed exploit summary This repository contains source code files from Apache Shiro, specifically related to CVE-2023-34478. The files include cache management and configuration components, but no exploit code or proof-of-concept is present.

Description

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Exploits (1)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/apache__shiro_CVE-2023-34478_1-11-0

This repository contains source code files from Apache Shiro, specifically related to CVE-2023-34478. The files include cache management and configuration components, but no exploit code or proof-of-concept is present.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Apache Shiro
No auth needed
Prerequisites: Access to vulnerable Apache Shiro instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0005
EPSS Percentile 16.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2023-07-26
CWE
CWE-22
Status published
Products (3)
apache/shiro 2.0.0 alpha1 (2 CPE variants)
apache/shiro < 1.12.0
org.apache.shiro/shiro-web 0 - 1.12.0Maven
Published Jul 24, 2023
Tracked Since Feb 18, 2026