Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Remediation

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securityfocus.com/archive/1/538570/100/0/threaded

http://www.securityfocus.com/bid/91024

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

Related Vulnerabilities

CVE-2020-36641 Vulnerability in maven package fr.turri:axmlrpc

CVE-2022-23631 Vulnerability in npm package superjson

CVE-2020-2198 Vulnerability in maven package hudson.plugins:project-inheritance

CVE-2017-12612 Vulnerability in maven package org.apache.spark:spark-core_2.11

CVE-2023-50709 Vulnerability in npm package @cubejs-backend/api-gateway

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit Broken Link Mailing List NVD-CWE-noinfo