Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

CVE-2016-4437 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2016-4437

CVE-2016-4437

CRITICAL9.8

Apache Shiro before 1

Published Jun 7, 2016

Modified 5 months ago

Details

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

References

WEB

http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

WEB

http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

ADVISORY

http://rhn.redhat.com/errata/RHSA-2016-2035.html

ADVISORY

http://rhn.redhat.com/errata/RHSA-2016-2036.html

WEB

http://www.securityfocus.com/archive/1/538570/100/0/threaded

WEB

http://www.securityfocus.com/bid/91024

WEB

https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E

WEB

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2016-4437

CVSS Analysis

CVSS v3.1

9.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ecosystems

Timeline

PublishedJun 7, 2016

ModifiedOct 21, 2025