CVE-2016-4437 - Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature,

CVE-2016-4437

Summary

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

References

Vulnerable Configurations

cpe:2.3:a:apache:aurora:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.12.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.12.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.13.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.13.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.14.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.14.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.14.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.14.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.15.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.15.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.15.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.15.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.15.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.15.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.16.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.17.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.17.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.17.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.17.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.18.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.18.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.18.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:aurora:0.18.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 24-07-2024 - 17:05)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

redhat via4

advisories

rhsa
id RHSA-2016:2035
rhsa
id RHSA-2016:2036

refmap via4

bid	91024
bugtraq	20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability
misc	http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
mlist	[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability

Last major update

24-07-2024 - 17:05

Published

07-06-2016 - 14:06

Last modified

24-07-2024 - 17:05