Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html

https://issues.apache.org/jira/browse/SHIRO-460

http://seclists.org/fulldisclosure/2014/Mar/22

Related Vulnerabilities

CVE-2023-22893 Vulnerability in npm package @strapi/plugin-users-permissions

CVE-2022-41713 Vulnerability in maven package org.webjars.npm:deep-object-diff

CVE-2021-23377 Vulnerability in npm package onion-oled-js

CVE-2023-50728 Vulnerability in npm package @octokit/webhooks

CVE-2020-26256 Vulnerability in npm package @fast-csv/parse

Severity

Critical

Classification

CWE-287

Tags

Exploit Vendor Advisory