Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

http://seclists.org/fulldisclosure/2014/Mar/22

https://issues.apache.org/jira/browse/SHIRO-460

Related Vulnerabilities

CVE-2023-25764 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

CVE-2016-10551 Vulnerability in npm package waterline-sequel

CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.utilities

CVE-2022-45935 Vulnerability in maven package org.apache.james:apache-james-mailbox-store

CVE-2021-32828 Vulnerability in maven package org.nuxeo.ecm.platform:nuxeo-platform-oauth

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory