|
|
|||
| Rule General Information |
|---|
| Release Date: | 2020-04-02 | |
| Rule Name: | Shiro RememberMe Deserialization Vulnerability (CVE-2016-4437) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Apache Shiro before 1.2.5, when a cipher key has not been configured for the remember me feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. This rule works with Shiro before 1.2.5. If Shiro 1.2.5 or later is be used, please turn off this rule. | |
| Impact: | An attacker can execute arbitrary code via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Linux | |
| Reference: | SecurityFocusBID:91024 http://www.securityfocus.com/archive/1/538570/100/0/threaded http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html http://rhn.redhat.com/errata/RHSA-2016-2035.html |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: http://shiro.apache.org/download.html |