CVE-2023-46749 Overview
Apache Shiro, a powerful and flexible open-source security framework for Java applications, contains a path traversal vulnerability that can result in authentication bypass when used together with path rewriting. This vulnerability affects Apache Shiro versions before 1.13.0 and 2.0.0-alpha-4.
Critical Impact
Attackers can leverage path traversal techniques to bypass authentication controls in Apache Shiro-protected applications when path rewriting is enabled, potentially gaining unauthorized access to protected resources.
Affected Products
- Apache Shiro versions before 1.13.0
- Apache Shiro 2.0.0-alpha1
- Apache Shiro 2.0.0-alpha2
- Apache Shiro 2.0.0-alpha3
Discovery Timeline
- January 15, 2024 - CVE-2023-46749 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2023-46749
Vulnerability Analysis
This vulnerability (CWE-22: Path Traversal) stems from improper handling of path elements in Apache Shiro's authentication and authorization filters when path rewriting is in use. The security framework fails to adequately normalize and validate request paths containing special characters, particularly semicolons, which can be exploited to traverse directories and bypass authentication checks.
When path rewriting is enabled in the application, an attacker can craft malicious requests that manipulate the URL path in a way that Shiro's security filters do not properly recognize. This allows the attacker to access protected endpoints without proper authentication, as the security framework misinterprets the actual target resource being accessed.
The vulnerability specifically impacts environments where the blockSemicolon configuration option is disabled, as semicolons in URLs can be used to inject path parameters that confuse the path matching logic.
Root Cause
The root cause lies in Apache Shiro's URL path normalization process when working in conjunction with path rewriting mechanisms. The framework does not properly sanitize path elements containing special characters (particularly semicolons) before performing authorization checks. This discrepancy between how Shiro interprets the path and how the underlying application server handles the request creates a security gap that can be exploited for authentication bypass.
Attack Vector
The attack is network-based and requires low privileges to execute. An attacker can send specially crafted HTTP requests to the target application with manipulated URL paths containing path traversal sequences or semicolon-based path parameters. When path rewriting is active and the blockSemicolon option is disabled, these malicious requests can bypass Shiro's authentication filters and reach protected resources.
The vulnerability allows high integrity impact, meaning attackers can modify or access data they should not be authorized to interact with. However, the attack does not directly lead to confidentiality breaches or availability issues according to the vulnerability assessment.
Detection Methods for CVE-2023-46749
Indicators of Compromise
- HTTP requests containing unusual path sequences with semicolons or encoded semicolons (%3B) in URL paths
- Access logs showing requests to protected resources from unauthenticated sessions
- Anomalous path patterns in web server logs that include path traversal sequences like ../ or encoded variants
- Requests containing path parameters (e.g., /protected;param=value/resource) targeting secured endpoints
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in request URLs
- Monitor application logs for authentication bypass attempts and unauthorized access to protected resources
- Deploy intrusion detection systems (IDS) with signatures for semicolon-based path manipulation attacks
- Review Apache Shiro configuration to verify blockSemicolon is enabled (default setting)
Monitoring Recommendations
- Enable detailed access logging on all Apache Shiro-protected applications to capture full request URLs
- Configure alerting for failed authentication attempts followed by successful resource access from the same source
- Implement anomaly detection for unusual URL patterns reaching protected endpoints
- Regularly audit authentication logs for signs of bypass attempts
How to Mitigate CVE-2023-46749
Immediate Actions Required
- Update Apache Shiro to version 1.13.0 or later (for 1.x branch) or 2.0.0-alpha-4 or later (for 2.x branch)
- Verify that the blockSemicolon configuration option is enabled in your Shiro configuration
- Review application access logs for any signs of exploitation attempts
- Conduct a security audit of all Shiro-protected endpoints to ensure proper authorization configuration
Patch Information
Apache has released patched versions that address this vulnerability. Organizations should upgrade to Apache Shiro 1.13.0 or higher for the stable branch, or 2.0.0-alpha-4 or higher for the alpha branch. The patch properly handles path normalization to prevent authentication bypass via path traversal techniques.
For detailed information, refer to the Apache Mailing List Thread and the NetApp Security Advisory.
Workarounds
- Ensure blockSemicolon is enabled in Apache Shiro configuration (this is the default setting and should not be disabled)
- Implement additional URL validation at the application or web server level to reject requests with suspicious path patterns
- Deploy a web application firewall (WAF) with rules to block path traversal attempts
- If upgrading is not immediately possible, review and restrict path rewriting configurations to minimize exposure
# Configuration example - Verify blockSemicolon is enabled in shiro.ini
[main]
# Ensure semicolon blocking is enabled (default behavior)
shiroFilter.blockSemicolon = true
# Alternative: Configure in Spring Boot application.properties
# shiro.filter.blockSemicolon=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
