CVE-2016-4437

Published on: 06/07/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:26:59 PM UTC

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Shiro from Apache contain the following vulnerability:

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

  • CVE-2016-4437 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.1 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 6.8 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2036
Apache Shiro CVE-2016-4437 Information Disclosure Vulnerability cve.report (archive)
text/html
URL Logo BID 91024
Apache Shiro 1.2.4 Remote Code Execution ≈ Packet Storm packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
Apache Shiro 1.2.4 Information Disclosure ≈ Packet Storm packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2035
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [[email protected]] 20171101 Apache Aurora information disclosure vulnerability
SecurityFocus www.securityfocus.com
text/html
URL Logo BUGTRAQ 20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability

Exploit/POC from Github

CVE-2016-4437-Shiro反序列化爆破模块和key,命令执行,反弹shell的脚本

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationApacheShiroAllAllAllAll
  • cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*: