9.8

CVE-2016-4437

Warning
Exploit

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Data is provided by the National Vulnerability Database (NVD)
ApacheAurora Version >= 0.10.0 < 0.18.1
ApacheShiro Version < 1.2.5
RedhatFuse Version1.0
RedhatJboss Middleware Text-only Advisories Version1.0 SwPlatformmiddleware

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Shiro Code Execution Vulnerability

Vulnerability

Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 94.3% 0.999
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

http://www.securityfocus.com/archive/1/538570/100/0/threaded
Third Party Advisory
Broken Link
VDB Entry
http://www.securityfocus.com/bid/91024
Third Party Advisory
Broken Link
VDB Entry