ID CVE-2016-4437
Summary Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:aurora:0.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.13.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.13.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.14.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.14.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.14.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.14.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.15.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.15.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.15.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.15.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.15.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.15.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.16.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.16.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.16.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.16.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.16.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.16.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.16.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.16.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.17.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.17.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.17.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.17.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.18.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.18.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:aurora:0.18.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:aurora:0.18.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:shiro:-:*:*:*:*:*:*:*
    cpe:2.3:a:apache:shiro:-:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:shiro:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:shiro:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:shiro:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:shiro:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
    cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
  • cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 24-07-2024 - 17:05)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2016:2035
  • rhsa
    id RHSA-2016:2036
refmap via4
bid 91024
bugtraq 20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability
misc
mlist [announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability
Last major update 24-07-2024 - 17:05
Published 07-06-2016 - 14:06
Last modified 24-07-2024 - 17:05
Back to Top