Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

http://seclists.org/fulldisclosure/2014/Mar/22

https://issues.apache.org/jira/browse/SHIRO-460

Related Vulnerabilities

CVE-2021-34079 Vulnerability in npm package docker-tester

CVE-2023-32999 Vulnerability in maven package com.rapid7:jenkinsci-appspider-plugin

CVE-2022-24197 Vulnerability in maven package com.itextpdf:itext7-core

CVE-2023-2633 Vulnerability in maven package org.jenkins-ci.plugins:codedx

CVE-2018-16330 Vulnerability in maven package org.webjars.bowergithub.pandao:editor.md

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory