CVE-2016-4437
CRITICAL9.8⚠ KEVEPSS 94.3%Improper Access Control in Apache Shiro
Published: 5/14/2022Modified: 4/28/2026Added to CISA KEV: 11/3/2021
Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Affected packages (2)
- Debian/shirofrom 0, < 1.2.5-1
- Maven/org.apache.shiro:shiro-corefrom 0, < 1.2.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-4437
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-4437
- WEBhttp://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
- WEBhttp://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-2035.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-2036.html
- WEBhttps://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437
- WEBhttp://www.securityfocus.com/archive/1/538570/100/0/threaded
- WEBhttp://www.securityfocus.com/bid/91024