CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2016-4437

CVSS 9.8v3.1pub. 2016-06-07upd. 2026-04-22

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Aurora

    APP
    Apache
    0.10.0 – 0.18.1 (bez)
  • Apache Shiro

    APP
    Apache
    < 1.2.5
  • Red Hat Fuse

    APP
    Redhat
    1.0
  • Red Hat Jboss Middleware Text Only Advisories

    APP
    Redhat
    1.0

CISA KEV — detailsi

Vendori
Apache
Producti
Shiro
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2015-1427CRITICAL9.8⚠ KEVten sam produkt

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2025-12543CRITICAL9.6PL ✓ten sam produkt

Brak walidacji nagłówka Host w serwerze Undertow HTTP

CVE-2024-27905CRITICAL9.1PL ✓ten sam produkt

Apache Aurora — padding oracle umożliwia fałszowanie cookie uwierzytelniającego

CVE-2023-34478CRITICAL9.8ten sam produkt

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an...

CVE-2022-40664CRITICAL9.8ten sam produkt

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via Requ...