Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

http://seclists.org/fulldisclosure/2014/Mar/22

https://issues.apache.org/jira/browse/SHIRO-460

Related Vulnerabilities

CVE-2021-3666 Vulnerability in npm package body-parser-xml

CVE-2022-25767 Vulnerability in maven package com.bstek.ureport:ureport2-console

CVE-2020-27224 Vulnerability in npm package @theia/preview

CVE-2023-23936 Vulnerability in maven package org.webjars.npm:undici

CVE-2019-18213 Vulnerability in maven package org.lsp4xml:lsp4xml-extensions

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory