CVE-2020-11989 – shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass
https://notcve.org/view.php?id=CVE-2020-11989
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Apache Shiro versiones anteriores a 1.5.3, cuando se usa Apache Shiro con controladores dinámicos Spring, una petición especialmente diseñada puede causar una omisión de autenticación A flaw was found in Apache Shiro in versions prior to 1.5.3. When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://github.com/HYWZ36/HYWZ36-CVE-2020-11989-code https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21%40%3Cdev.geode.apache.org%3E https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cdev.shiro.apache.org%3E https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E https://lists.apache. • CWE-305: Authentication Bypass by Primary Weakness •
CVE-2020-1957
https://notcve.org/view.php?id=CVE-2020-1957
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Apache Shiro versiones anteriores a 1.5.2, cuando se usa Apache Shiro con controladores dinámicos Spring, una petición especialmente diseñada puede causar una omisión de autenticación. • https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3%40%3Ccommits.shiro.apache.org%3E https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77%40%3Cdev.geode.apache.org%3E https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63%40 •
CVE-2019-12422 – shiro: Cookie padding oracle vulnerability with default configuration
https://notcve.org/view.php?id=CVE-2019-12422
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. Apache Shiro versiones anteriores a 1.4.2, cuando se usa la configuración predeterminada "remember me", las cookies pueden ser susceptibles a un ataque de padding. • https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E https://access.redhat.com/security/cve/CVE-2019-12422 https://bugzilla.redhat.com/show_bug.cgi?id=1774726 • CWE-20: Improper Input Validation •
CVE-2016-6802
https://notcve.org/view.php?id=CVE-2016-6802
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. Apache Shiro en versiones anteriores a 1.3.2 permite atacantes eludir los filtros de servlet destinados y obtener acceso aprovechando el uso una de ruta de contexto servlet sin ser root . • http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html http://www.securityfocus.com/archive/1/539397/100/0/threaded http://www.securityfocus.com/bid/92947 • CWE-284: Improper Access Control •
CVE-2016-4437 – Apache Shiro Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-4437
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Apache Shiro en versiones anteriores a 1.2.5, cuando una clave de cifrado no ha sido configurada por la característica "remember me", permite a atacantes remotos ejecutar código arbitrario o eludir las restricciones destinadas al acceso a través de un parámetro request no especificado. It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature. • https://www.exploit-db.com/exploits/48410 https://github.com/pizza-power/CVE-2016-4437 https://github.com/xk-mt/CVE-2016-4437 https://github.com/m3terpreter/CVE-2016-4437 http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html http://rhn.redhat.com/errata/RHSA-2016-2035.html http://rhn.redhat.com/errata/RHSA-2016-2036.html http://www.securityfocus.com • CWE-287: Improper Authentication •