CVE-2016-4437
Published: 7 June 2016
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Priority
Status
Package | Release | Status |
---|---|---|
shiro Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(1.3.2-2)
|
groovy |
Not vulnerable
(1.3.2-2)
|
|
jammy |
Not vulnerable
(1.3.2-2)
|
|
artful |
Ignored
(end of life)
|
|
bionic |
Not vulnerable
(1.3.2-2)
|
|
cosmic |
Not vulnerable
(1.3.2-2)
|
|
disco |
Not vulnerable
(1.3.2-2)
|
|
eoan |
Not vulnerable
(1.3.2-2)
|
|
focal |
Not vulnerable
(1.3.2-2)
|
|
hirsute |
Not vulnerable
(1.3.2-2)
|
|
kinetic |
Not vulnerable
(1.3.2-2)
|
|
lunar |
Not vulnerable
(1.3.2-2)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.2.5-1)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Not vulnerable
(1.3.2-2)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |