← Back to CVEs
CVE-2016-4437
CRITICALCISA KEV9.8
Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published6/7/2016
Last Modified10/22/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorApache
ProductShiro
Vulnerability NameApache Shiro Code Execution Vulnerability
KEV Date Added2021-11-03
Remediation Due Date2022-05-03
Ransomware UseUnknown
Affected Products
apache:auroraapache:shiroredhat:fuseredhat:jboss_middleware_text-only_advisories
Weaknesses (CWE)
CWE-321
References
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html(secalert@redhat.com)
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-2035.html(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-2036.html(secalert@redhat.com)
http://www.securityfocus.com/archive/1/538570/100/0/threaded(secalert@redhat.com)
http://www.securityfocus.com/bid/91024(secalert@redhat.com)
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E(secalert@redhat.com)
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-2035.html(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-2036.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/538570/100/0/threaded(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/91024(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.