Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Remediation

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

http://www.securityfocus.com/bid/91024

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://www.securityfocus.com/archive/1/538570/100/0/threaded

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

Related Vulnerabilities

CVE-2015-1840 Vulnerability in maven package org.webjars.npm:jquery-ujs

CVE-2021-23414 Vulnerability in npm package video.js

CVE-2016-1000229 Vulnerability in maven package org.webjars.npm:swagger-ui

CVE-2023-47324 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web

CVE-2021-41246 Vulnerability in npm package express-openid-connect

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Broken Link Exploit Mailing List NVD-CWE-noinfo