Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Remediation
References
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
http://www.securityfocus.com/bid/91024
http://rhn.redhat.com/errata/RHSA-2016-2036.html
http://rhn.redhat.com/errata/RHSA-2016-2035.html
http://www.securityfocus.com/archive/1/538570/100/0/threaded
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E