9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-4437

GHSA ID

GHSA-p836-389h-j692

EPSS Score

0.99936%

CWE

CWE-284

Published

5/14/2022

Updated

7/25/2024

KEV Status

Yes

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-4437

CVE-2016-4437: Improper Access Control in Apache Shiro

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-4437

GHSA ID

GHSA-p836-389h-j692

EPSS Score

0.99936%

CWE

CWE-284

Published

5/14/2022

Updated

7/25/2024

KEV Status

Yes

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.shiro:shiro-core	maven	<= 1.2.4	1.2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from CookieRememberMeManager using default cryptographic keys when none are configured. During exploitation:

Attacker crafts malicious serialized object
Application receives forged 'remember me' cookie
CookieRememberMeManager.decrypt() is invoked to process it
getDecryptionCipherKey() provides default insecure key
Insecure deserialization occurs via these methods

These functions appear in stack traces when processing malicious cookies. The patch in 1.2.5 likely enforced key configuration and removed defaults.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** S*iro ***or* *.*.*, w**n * *ip**r k*y **s not ***n *on*i*ur** *or t** "r*m*m**r m*" ***tur*, *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** or *yp*ss int*n*** ****ss r*stri*tions vi* *n unsp**i*i** r*qu*st p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom *ooki*R*m*m**rM*M*n***r usin* ****ult *rypto*r*p*i* k*ys w**n non* *r* *on*i*ur**. *urin* *xploit*tion: *. *tt**k*r *r**ts m*li*ious s*ri*liz** o*j**t *. *ppli**tion r***iv*s *or*** 'r*m*m**r m*' *ooki* *. *ooki*R*m*m**rM

9.8

Basic Information

Concerned about an active attack path?

CVE-2016-4437: Improper Access Control in Apache Shiro

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI