CVE-2016-4437
Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
In plain language
AI Act nowCVE-2016-4437 is a serious Apache Shiro weakness that lets remote attackers either run code or get around access rules, without needing a login; if your business uses Apache Shiro versions earlier than 1.2.5 (or Aurora with older versions), you should treat this as an urgent patch.
Apache Shiro before 1.2.5 (and Aurora <0.18.1) is vulnerable when the “remember me” feature is enabled but no cipher key is configured, allowing unauthenticated remote attackers to execute arbitrary code or bypass access restrictions.
What to do now
- Check whether you use Apache Shiro (or an app/server component that bundles Shiro) and confirm the Shiro version in your deployed product stack.
- Check whether your Shiro “remember me” feature is enabled and whether a cipher key is configured for it.
- If you are running Shiro earlier than 1.2.5, upgrade to Apache Shiro 1.2.5 (or later) per the vendor fix.
- If you are running Aurora, upgrade Aurora to 0.18.1 or later.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply updates per vendor instructions.
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2016-4437 and every CVE in our database. Create a free account — no credit card required.
Create Free Account