Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Remediation

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://www.securityfocus.com/archive/1/538570/100/0/threaded

http://www.securityfocus.com/bid/91024

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

Related Vulnerabilities

CVE-2023-31419 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2023-28155 Vulnerability in maven package org.webjars.npm:request

CVE-2017-12610 Vulnerability in maven package org.apache.kafka:kafka

CVE-2021-25912 Vulnerability in npm package dotty

CVE-2019-16728 Vulnerability in maven package org.webjars.bower:dompurify

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit Broken Link Mailing List NVD-CWE-noinfo