Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Remediation
References
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
http://rhn.redhat.com/errata/RHSA-2016-2035.html
http://rhn.redhat.com/errata/RHSA-2016-2036.html
http://www.securityfocus.com/archive/1/538570/100/0/threaded
http://www.securityfocus.com/bid/91024
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437
Related Vulnerabilities
CVE-2022-35513 Vulnerability in npm package blink1control2
CVE-2021-25864 Vulnerability in npm package node-red-contrib-huemagic
CVE-2016-6795 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2020-7766 Vulnerability in npm package json-ptr
CVE-2020-15156 Vulnerability in npm package nodebb-plugin-blog-comments