CVE-2019-12422

Description

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

How to fix CVE-2019-12422

To remediate CVE-2019-12422, upgrade the affected package to a fixed version below.

• Debian/shiro—no fix listed
• Maven/org.apache.shiro:shiro-core—upgrade to 1.4.2 or later

Is CVE-2019-12422 being exploited?

Likely — EPSS is 54.9%, placing CVE-2019-12422 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

• from 0
• from 0, < 1.4.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-12422
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-12422
• WEBlists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E
• WEBlists.apache.org