Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Remediation

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securityfocus.com/archive/1/538570/100/0/threaded

http://www.securityfocus.com/bid/91024

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

Related Vulnerabilities

CVE-2018-7408 Vulnerability in maven package org.webjars:npm

CVE-2023-47324 Vulnerability in maven package org.silverpeas.core:silverpeas-core-api

CVE-2021-21639 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2016-5016 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server

CVE-2016-10547 Vulnerability in maven package org.webjars.npm:nunjucks

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit Broken Link Mailing List NVD-CWE-noinfo