CVE-2016-6802

Description

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

How to fix CVE-2016-6802

To remediate CVE-2016-6802, upgrade the affected package to a fixed version below.

• Debian/shiro—upgrade to 1.3.2-1 or later
• Maven/org.apache.shiro:shiro-all—upgrade to 1.3.2 or later
• —upgrade to 1.3.2 or later

Is CVE-2016-6802 being exploited?

Moderate — EPSS is 13.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

• from 0, < 1.3.2-1
• from 0, < 1.3.2
• from 0, < 1.3.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-6802
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-6802
• WEBgithub.com/apache/shiro/commit/b15ab927709ca18ea4a02538be01919a19ab65af
• WEBissues.apache.org/jira/browse/SHIRO-584