CVE-2014-0074

Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

How to fix CVE-2014-0074

To remediate CVE-2014-0074, upgrade the affected package to a fixed version below.

• Debian/shiro—upgrade to 1.2.3-1 or later

Is CVE-2014-0074 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.2.3-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-0074