Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

http://seclists.org/fulldisclosure/2014/Mar/22

https://issues.apache.org/jira/browse/SHIRO-460

Related Vulnerabilities

CVE-2023-50137 Vulnerability in maven package com.jfinal:jfinal

CVE-2021-34082 Vulnerability in npm package proctree

CVE-2022-2466 Vulnerability in maven package io.quarkus:quarkus-smallrye-graphql

CVE-2017-16030 Vulnerability in npm package useragent

CVE-2023-37476 Vulnerability in maven package org.openrefine:main

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory