Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

http://seclists.org/fulldisclosure/2014/Mar/22

https://issues.apache.org/jira/browse/SHIRO-460

Related Vulnerabilities

CVE-2023-30526 Vulnerability in maven package org.jenkins-ci.plugins:reportportal

CVE-2023-29017 Vulnerability in npm package vm2

CVE-2021-3815 Vulnerability in npm package @fabiocaccamo/utils.js

CVE-2018-19056 Vulnerability in maven package org.webjars.bowergithub.pandao:editor.md

CVE-2019-19609 Vulnerability in npm package strapi

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory