Miggo Logo

CVE-2016-4437: Improper Access Control in Apache Shiro

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99936%
Published
5/14/2022
Updated
7/25/2024
KEV Status
Yes
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.shiro:shiro-coremaven<= 1.2.41.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from CookieRememberMeManager using default cryptographic keys when none are configured. During exploitation:

  1. Attacker crafts malicious serialized object
  2. Application receives forged 'remember me' cookie
  3. CookieRememberMeManager.decrypt() is invoked to process it
  4. getDecryptionCipherKey() provides default insecure key
  5. Insecure deserialization occurs via these methods

These functions appear in stack traces when processing malicious cookies. The patch in 1.2.5 likely enforced key configuration and removed defaults.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** S*iro ***or* *.*.*, w**n * *ip**r k*y **s not ***n *on*i*ur** *or t** "r*m*m**r m*" ***tur*, *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** or *yp*ss int*n*** ****ss r*stri*tions vi* *n unsp**i*i** r*qu*st p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom *ooki*R*m*m**rM*M*n***r usin* ****ult *rypto*r*p*i* k*ys w**n non* *r* *on*i*ur**. *urin* *xploit*tion: *. *tt**k*r *r**ts m*li*ious s*ri*liz** o*j**t *. *ppli**tion r***iv*s *or*** 'r*m*m**r m*' *ooki* *. *ooki*R*m*m**rM