CVE-2016-4437
critical-risk
Published 2016-06-07
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Do I need to act?
!
94.3% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (4)
References (15)
Third Party Advisory
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Discl...
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2035.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2036.html
Broken Link
http://www.securityfocus.com/bid/91024
Third Party Advisory
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Discl...
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2035.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2036.html
Broken Link
http://www.securityfocus.com/bid/91024
76
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
34/34 · Critical
Exposure
10/34 · Low