9.8

CVE-2016-4437

Warnung
Exploit

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheAurora Version >= 0.10.0 < 0.18.1
ApacheShiro Version < 1.2.5
RedhatFuse Version1.0
RedhatJboss Middleware Text-only Advisories Version1.0 SwPlatformmiddleware

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Shiro Code Execution Vulnerability

Schwachstelle

Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 94.3% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

http://www.securityfocus.com/archive/1/538570/100/0/threaded
Third Party Advisory
Broken Link
VDB Entry
http://www.securityfocus.com/bid/91024
Third Party Advisory
Broken Link
VDB Entry