CVE-2016-4437

KEV

🔴 Łataj teraz

Brak konfiguracji klucza szyfrującego w Apache Shiro umożliwia zdalne wykonanie kodu.

CVSS

9.8

EPSS

94.2%

Exploit

weaponized

Vendor

apache

Opis źródłowy (NVD)

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

exploit Brak patcha

Źródła i daty

Źródło	Wartość
NVD – CVSS	9.8
CISA KEV (aktywnie wykorzystywane)	Tak
FIRST EPSS (prawdopodobieństwo exploita)	94.2%
Opublikowano (NVD)	2016-06-07 14:06:13 UTC
Ostatnia modyfikacja (NVD)	2026-04-22 14:36:05 UTC

Referencje

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html (secalert@redhat.com) [Third Party Advisory, VDB Entry]
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html (secalert@redhat.com) [Exploit, Third Party Advisory, VDB Entry]
http://rhn.redhat.com/errata/RHSA-2016-2035.html (secalert@redhat.com) [Third Party Advisory]
http://rhn.redhat.com/errata/RHSA-2016-2036.html (secalert@redhat.com) [Third Party Advisory]
http://www.securityfocus.com/archive/1/538570/100/0/threaded (secalert@redhat.com) [Broken Link, Third Party Advisory, VDB Entry]
http://www.securityfocus.com/bid/91024 (secalert@redhat.com) [Broken Link, Third Party Advisory, VDB Entry]
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E (secalert@redhat.com) [Mailing List]
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]