Primary

Context

Shiro-Action Incorrect Access Control Vulnerability Allowing Information Leakage

Vulnerability

A vulnerability exists in Shiro-Action versions through 0.6, where incorrect access control in the '/user/list' component allows attackers to access sensitive information by sending a crafted payload. The vulnerability arises because the authentication checks can be bypassed, enabling unauthorized access to protected APIs.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information via protected APIs that require authentication.

Reproduction

To reproduce this vulnerability, send a GET request to the '/user/list' API. The request will be denied due to authentication requirements. However, by sending a payload that includes the '/images/..;/user/list' path, the authentication can be bypassed, granting access to the '/user/list' API.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Shiro-Action Incorrect Access Control Vulnerability Allowing Information Leakage

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating