Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

http://seclists.org/fulldisclosure/2014/Mar/22

https://issues.apache.org/jira/browse/SHIRO-460

Related Vulnerabilities

CVE-2023-37460 Vulnerability in maven package org.codehaus.plexus:plexus-archiver

CVE-2020-14968 Vulnerability in maven package org.webjars.bowergithub.kjur:jsrsasign

CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core_3

CVE-2023-32007 Vulnerability in maven package org.apache.spark:spark-core_2.12

CVE-2022-25860 Vulnerability in npm package simple-git

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory