Description

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Apache Shiro is using a default rememberme cookie that is encrypted with a hardcoded encryption key. An attacker can create a malicious object, serialize it, encode it, then send it as a cookie. Shiro will then decode and deserialize it.

Remediation

Upgrade to the latest version of Apache Shiro.

References

Randomize default remember me cipher

Related Vulnerabilities

WordPress Plugin Master Popups Remote Code Execution (1.0.0)

Apache Struts Path traversal (S2-067/CVE-2024-53677, S2-066/CVE-2023-50164)

WordPress Plugin WooCommerce Possible Remote Code Execution (3.5.0)

Remote code execution in bootstrap-sass 3.2.0.3

WordPress Plugin Form Manager Remote Command Execution (1.7.2)

Severity

High

Classification

CVE-2016-4437 CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Insecure Deserialization Default Credentials Acumonitor