Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Remediation
References
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
http://www.securityfocus.com/bid/91024
http://rhn.redhat.com/errata/RHSA-2016-2036.html
http://rhn.redhat.com/errata/RHSA-2016-2035.html
http://www.securityfocus.com/archive/1/538570/100/0/threaded
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E
Related Vulnerabilities
CVE-2015-5325 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2014-7810 Vulnerability in maven package org.mortbay.jasper:apache-el
CVE-2016-5393 Vulnerability in maven package org.apache.hadoop:hadoop-common
CVE-2022-41654 Vulnerability in npm package ghost
CVE-2023-3431 Vulnerability in maven package net.sourceforge.plantuml:plantuml