Описание
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss A-MQ 6 | shiro-core | Affected | ||
| Red Hat JBoss Fuse 6 | shiro-core | Affected | ||
| Red Hat JBoss Fuse Service Works 6 | shiro-core | Affected | ||
| Red Hat OpenShift Enterprise 2 | shiro-core | Affected | ||
| Red Hat JBoss A-MQ 6.3 | Fixed | RHSA-2016:2036 | 06.10.2016 | |
| Red Hat JBoss Fuse 6.3 | Fixed | RHSA-2016:2035 | 06.10.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
6.8 Medium
CVSS2
Связанные уязвимости
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Apache Shiro before 1.2.5, when a cipher key has not been configured f ...
EPSS
7.3 High
CVSS3
6.8 Medium
CVSS2