Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Remediation

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securityfocus.com/archive/1/538570/100/0/threaded

http://www.securityfocus.com/bid/91024

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

Related Vulnerabilities

CVE-2019-0225 Vulnerability in maven package org.apache.jspwiki:jspwiki-builder

CVE-2020-8441 Vulnerability in maven package org.jyaml:jyaml

CVE-2021-26540 Vulnerability in npm package sanitize-html

CVE-2016-10663 Vulnerability in npm package wixtoolset

CVE-2020-28278 Vulnerability in maven package org.webjars.npm:shvl

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit Broken Link Mailing List NVD-CWE-noinfo