Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Remediation

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

http://www.securityfocus.com/bid/91024

http://rhn.redhat.com/errata/RHSA-2016-2036.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://www.securityfocus.com/archive/1/538570/100/0/threaded

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

Related Vulnerabilities

CVE-2015-5325 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2014-7810 Vulnerability in maven package org.mortbay.jasper:apache-el

CVE-2016-5393 Vulnerability in maven package org.apache.hadoop:hadoop-common

CVE-2022-41654 Vulnerability in npm package ghost

CVE-2023-3431 Vulnerability in maven package net.sourceforge.plantuml:plantuml

Severity

Critical

Classification

CWE-284 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H