CVE-2019-12422: Improper input validation in Apache Shiro
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98456%
CWE
-
Published
2/4/2020
Updated
3/6/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.shiro:shiro-core | maven | < 1.4.2 | 1.4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers around cryptographic handling of 'remember me' cookies. The CookieRememberMeManager class is explicitly responsible for this functionality. The decrypt method would be the logical location for padding validation checks. While no direct patch code is shown, the CVE description and Shiro's architecture indicate this is the vulnerable entry point. The fix in 1.4.2 likely involved switching to AES-GCM and/or adding constant-time padding validation.