Vulnerabilities > CVE-2016-4437
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 23 | |
Application | 2 |
Exploit-Db
id | EDB-ID:48410 |
last seen | 2020-05-01 |
modified | 2020-05-01 |
published | 2020-05-01 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/48410 |
title | Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit) |
Metasploit
description | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Shiro v1.2.4. |
id | MSF:EXPLOIT/MULTI/HTTP/SHIRO_REMEMBERME_V124_DESERIALIZE |
last seen | 2020-06-10 |
modified | 2020-04-28 |
published | 2019-02-04 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb |
title | Apache Shiro v1.2.4 Cookie RememberME Deserial RCE |
Packetstorm
data source | https://packetstormsecurity.com/files/download/157497/shiro_rememberme_v124_deserialize.rb.txt |
id | PACKETSTORM:157497 |
last seen | 2020-05-02 |
published | 2020-04-29 |
reporter | L |
source | https://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html |
title | Apache Shiro 1.2.4 Remote Code Execution |
Redhat
advisories |
|
References
- http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
- http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
- http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.securityfocus.com/archive/1/538570/100/0/threaded
- http://www.securityfocus.com/archive/1/538570/100/0/threaded
- http://www.securityfocus.com/bid/91024
- http://www.securityfocus.com/bid/91024
- https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E
- https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E