CVE-2014-0074 — Improper Authentication in Apache Shiro

CWE-287 — Improper Authentication7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 49.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Shiro

Timeline

PublishedOct 6

Latest updateMay 17

Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶Debianapache/shiro< 1.2.3-1+2

▶NVDapache/shiro5 versions+4

🔴Vulnerability Details

GHSA

GHSA-9486-j794-vqc4: Apache Shiro 1↗2022-05-17

▶

CVEList

CVE-2014-0074: Apache Shiro 1↗2014-10-06

▶

OSV

CVE-2014-0074: Apache Shiro 1↗2014-10-06

▶

📋Vendor Advisories

Red Hat

Shiro: successful authentication without specifying user name or password↗2014-03-04

▶

Debian

CVE-2014-0074: shiro - Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bi...↗2014

▶

💬Community

Bugzilla

CVE-2014-0074 Apache Shiro: successful authentication without specifying user name or password↗2014-03-04

▶