Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2016-4437

Published: Jun 07, 2016 | Modified: Jul 24, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
6.8 IMPORTANT
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V3
7.3 IMPORTANT
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Ubuntu
HIGH
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2016-4437
CWEhttps://cwe.mitre.org/data/definitions/.html

Apache Shiro before 1.2.5, when a cipher key has not been configured for the remember me feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Affected Software

Name Vendor Start Version End Version
Aurora Apache 0.10.0 (including) 0.18.1 (excluding)
Shiro Apache * 1.2.5 (excluding)
Red Hat JBoss A-MQ 6.3 RedHat *
Red Hat JBoss Fuse 6.3 RedHat *
Shiro Ubuntu artful *
Shiro Ubuntu esm-apps/xenial *
Shiro Ubuntu upstream *
Shiro Ubuntu wily *
Shiro Ubuntu xenial *
Shiro Ubuntu yakkety *
Shiro Ubuntu zesty *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use