Miggo Logo

CVE-2019-12422: Improper input validation in Apache Shiro

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.98456%
CWE
-
Published
2/4/2020
Updated
3/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.shiro:shiro-coremaven< 1.4.21.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around cryptographic handling of 'remember me' cookies. The CookieRememberMeManager class is explicitly responsible for this functionality. The decrypt method would be the logical location for padding validation checks. While no direct patch code is shown, the CVE description and Shiro's architecture indicate this is the vulnerable entry point. The fix in 1.4.2 likely involved switching to AES-GCM and/or adding constant-time padding validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** S*iro ***or* *.*.*, w**n usin* t** ****ult "r*m*m**r m*" *on*i*ur*tion, *ooki*s *oul* ** sus**pti*l* to * p***in* *tt**k.

Reasoning

T** vuln*r**ility **nt*rs *roun* *rypto*r*p*i* **n*lin* o* 'r*m*m**r m*' *ooki*s. T** *ooki*R*m*m**rM*M*n***r *l*ss is *xpli*itly r*sponsi*l* *or t*is *un*tion*lity. T** ***rypt m*t*o* woul* ** t** lo*i**l lo**tion *or p***in* v*li**tion ****ks. W*il