CVE-2016-4437 — Improper Access Control in Apache Shiro

Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

How to fix CVE-2016-4437

To remediate CVE-2016-4437, upgrade the affected package to a fixed version below.

—upgrade to 1.2.5-1 or later
—upgrade to 1.2.5 or later

Is CVE-2016-4437 being exploited?

Yes — CVE-2016-4437 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (2)

from 0, < 1.2.5-1
from 0, < 1.2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4437
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-4437
WEBpacketstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
WEBpacketstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html