Описание
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Web Server 1 | fuse-6.0 | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-esb-7.1 | Affected | ||
| Red Hat JBoss Fuse Service Works 6 | shiro | Will not fix | ||
| Fuse ESB Enterprise 7.1.0 | Fixed | RHSA-2014:1369 | 09.10.2014 | |
| Fuse Management Console 7.1.0 | Fixed | RHSA-2014:1369 | 09.10.2014 | |
| Fuse MQ Enterprise 7.1.0 | Fixed | RHSA-2014:1369 | 09.10.2014 | |
| Red Hat JBoss A-MQ 6.1 | Fixed | RHSA-2014:1351 | 01.10.2014 | |
| Red Hat JBoss Fuse 6.1 | Fixed | RHSA-2014:1351 | 01.10.2014 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS2
Связанные уязвимости
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthen ...
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
EPSS
7.5 High
CVSS2