Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

http://seclists.org/fulldisclosure/2014/Mar/22

https://issues.apache.org/jira/browse/SHIRO-460

Related Vulnerabilities

CVE-2023-2196 Vulnerability in maven package org.jenkins-ci.plugins:codedx

CVE-2022-25890 Vulnerability in npm package wifey

CVE-2019-10773 Vulnerability in npm package @pnpm/package-bins

CVE-2023-34617 Vulnerability in maven package com.owlike:genson

CVE-2017-12617 Vulnerability in maven package org.apache.tomcat:tomcat-util

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory