Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Aurora
APPApache0.10.0 – 0.18.1 (bez)Apache Shiro
APPApache< 1.2.5Red Hat Fuse
APPRedhat1.0Red Hat Jboss Middleware Text Only Advisories
APPRedhat1.0
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Shiro
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
Apply updates per vendor instructions.
Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.
Related vulnerabilities
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...
Brak walidacji nagłówka Host w serwerze Undertow HTTP
Apache Aurora — padding oracle umożliwia fałszowanie cookie uwierzytelniającego
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an...
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via Requ...