CVE-2016-4437 — CRITICAL (9.8)

Q: How severe is CVE-2016-4437?

CVE-2016-4437 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2016-4437?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Aurora, Apache Shiro, Redhat Fuse, Redhat Jboss Middleware Text-Only Advisories.

Vulnerability Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Aurora	>= 0.10.0, < 0.18.1
Apache	Shiro	< 1.2.5
Redhat	Fuse	1.0
Redhat	Jboss Middleware Text-Only Advisories	1.0

Related Weaknesses (CWE)

CWE-321

References

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-DisclThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-ExecuExploitThird Party AdvisoryVDB Entry
http://rhn.redhat.com/errata/RHSA-2016-2035.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2036.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/538570/100/0/threadedBroken LinkThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/91024Broken LinkThird Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28cMailing List
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-DisclThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-ExecuExploitThird Party AdvisoryVDB Entry
http://rhn.redhat.com/errata/RHSA-2016-2035.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2036.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/538570/100/0/threadedBroken LinkThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/91024Broken LinkThird Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28cMailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-US Government Resource

FAQ

What is CVE-2016-4437?

CVE-2016-4437 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unsp...

How severe is CVE-2016-4437?

CVE-2016-4437 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2016-4437?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Aurora, Apache Shiro, Redhat Fuse, Redhat Jboss Middleware Text-Only Advisories.