8.8
CVE-2026-49268
- EPSS 0.49%
- Veröffentlicht 17.06.2026 13:07:44
- Zuletzt bearbeitet 17.06.2026 13:07:44
- Quelle f0158376-9dc2-43b6-827c-5f631a
- CVE-Watchlists
- Unerledigt
Apache Shiro: LDAP DN Injection in DefaultLdapRealm
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerApache Software Foundation
≫
Produkt
Apache Shiro
Default Statusunaffected
Version <=
2.2.0
Version
0
Status
affected
Version <=
3.0.0-alpha-1
Version
3.0.0-alpha-0
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.384 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| f0158376-9dc2-43b6-827c-5f631a4d8d09 | 8.8 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red
|
https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s