CVE-2016-4437
Summary
| CVE | CVE-2016-4437 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-06-07 14:06:00 UTC |
| Updated | 2023-11-07 02:32:00 UTC |
| Description | Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. |
Risk And Classification
EPSS: 0.942510000 probability, percentile 0.999300000 (date 2026-04-02)
CISA KEV: Listed on 2021-11-03; due 2022-05-03; ransomware use Unknown
Problem Types: CWE-284
CISA Known Exploited Vulnerability
| Vendor | Apache |
|---|---|
| Product | Shiro |
| Name | Apache Shiro Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2016-4437 |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Apache Shiro CVE-2016-4437 Information Disclosure Vulnerability | BID | www.securityfocus.com | |
| Apache Shiro 1.2.4 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Apache Shiro 1.2.4 Information Disclosure ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| SecurityFocus | BUGTRAQ | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 730496 Apache Shiro Remote Code Execution (RCE) Vulnerability