CVE-2016-4437
Apache Shiro Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
8Exploited in Wild
YesDecision
Descriptions
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Apache Shiro en versiones anteriores a 1.2.5, cuando una clave de cifrado no ha sido configurada por la característica "remember me", permite a atacantes remotos ejecutar código arbitrario o eludir las restricciones destinadas al acceso a través de un parámetro request no especificado.
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements.
Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2016-05-02 CVE Reserved
- 2016-06-03 CVE Published
- 2020-04-29 First Exploit
- 2021-11-03 Exploited in Wild
- 2022-05-03 KEV Due Date
- 2025-02-07 CVE Updated
- 2025-05-04 EPSS Updated
CWE
- CWE-287: Improper Authentication
- CWE-321: Use of Hard-coded Cryptographic Key
CAPEC
References (17)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/157497 | 2020-04-29 | |
| https://www.exploit-db.com/exploits/48410 | 2020-05-01 | |
| https://github.com/pizza-power/CVE-2016-4437 | 2024-06-29 | |
| https://github.com/xk-mt/CVE-2016-4437 | 2024-01-16 | |
| https://github.com/m3terpreter/CVE-2016-4437 | 2021-06-22 | |
| https://github.com/bkfish/Awesome_shiro | 2024-12-03 | |
| https://github.com/4nth0ny1130/shisoserial | 2023-12-14 | |
| http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html | 2025-02-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2035.html | 2024-07-24 | |
| http://rhn.redhat.com/errata/RHSA-2016-2036.html | 2024-07-24 | |
| https://access.redhat.com/security/cve/CVE-2016-4437 | 2016-10-06 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1343346 | 2016-10-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Aurora Search vendor "Apache" for product "Aurora" | >= 0.10.0 < 0.18.1 Search vendor "Apache" for product "Aurora" and version " >= 0.10.0 < 0.18.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Shiro Search vendor "Apache" for product "Shiro" | < 1.2.5 Search vendor "Apache" for product "Shiro" and version " < 1.2.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Fuse Search vendor "Redhat" for product "Fuse" | 1.0 Search vendor "Redhat" for product "Fuse" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Middleware Text-only Advisories Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories" | 1.0 Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories" and version "1.0" | middleware |
Affected
| ||||||