Authentication Bypass in Apache Shiro 1.x
CVE-2014-0074

Currently unrated

Key Information:

Vendor: Apache
Status: Shiro
Vendor: CVE Published:; 6 October 2014

Summary

Apache Shiro versions prior to 1.2.3 are susceptible to an authentication bypass issue when configured to use an LDAP server with unauthenticated bind enabled. This vulnerability permits remote attackers to bypass authentication by exploiting the system with an empty username or password. As a result, unauthorized access to the affected system may occur, potentially compromising sensitive data and undermining application security.

References

http://seclists.org/fulldisclosure/2014/Mar/22

mailing-listx_refsource_FULLDISC

https://issues.apache.org/jira/browse/SHIRO-460

x_refsource_MISC

http://rhn.redhat.com/errata/RHSA-2014-1351.html

vendor-advisoryx_refsource_REDHAT

Timeline

Vulnerability published
Oct 6, 2014
Vulnerability Reserved
Dec 3, 2013