9.8

CVE-2016-4437

Warnung
Medienbericht
Exploit
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheAurora Version >= 0.10.0 < 0.18.1
ApacheShiro Version < 1.2.5
RedhatFuse Version1.0
RedhatJboss Middleware Text-only Advisories Version1.0 SwPlatformmiddleware

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Shiro Code Execution Vulnerability

Schwachstelle

Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 93.14% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-321 Use of Hard-coded Cryptographic Key

The product uses a hard-coded, unchangeable cryptographic key.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
26.06.2026 21:08
http://rhn.redhat.com/errata/RHSA-2016-2035.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2036.html
Third Party Advisory
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
Third Party Advisory
Exploit
VDB Entry
http://www.securityfocus.com/archive/1/538570/100/0/threaded
Third Party Advisory
Broken Link
VDB Entry
http://www.securityfocus.com/bid/91024
Third Party Advisory
Broken Link
VDB Entry
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E
Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437
US Government Resource