CVE-2016-4437: Improper Access Control in Apache Shiro
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99936%
CWE
Published
5/14/2022
Updated
7/25/2024
KEV Status
Yes
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.shiro:shiro-core | maven | <= 1.2.4 | 1.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from CookieRememberMeManager using default cryptographic keys when none are configured. During exploitation:
- Attacker crafts malicious serialized object
- Application receives forged 'remember me' cookie
- CookieRememberMeManager.decrypt() is invoked to process it
- getDecryptionCipherKey() provides default insecure key
- Insecure deserialization occurs via these methods
These functions appear in stack traces when processing malicious cookies. The patch in 1.2.5 likely enforced key configuration and removed defaults.