Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Remediation

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securityfocus.com/archive/1/538570/100/0/threaded

http://www.securityfocus.com/bid/91024

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

Related Vulnerabilities

CVE-2022-25349 Vulnerability in maven package org.webjars.npm:materialize-css

CVE-2018-3785 Vulnerability in npm package git-dummy-commit

CVE-2019-20365 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

CVE-2020-23622 Vulnerability in maven package org.fourthline.cling:cling-core

CVE-2019-19771 Vulnerability in npm package bpi66

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit Broken Link Mailing List NVD-CWE-noinfo