CVE-2014-0074

Currently unrated

Key Information:

Vendor: Apache
Status: Shiro
Vendor: CVE Published:; 6 October 2014

Summary

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

References

http://seclists.org/fulldisclosure/2014/Mar/22

mailing-listx_refsource_FULLDISC

https://issues.apache.org/jira/browse/SHIRO-460

x_refsource_MISC

http://rhn.redhat.com/errata/RHSA-2014-1351.html

vendor-advisoryx_refsource_REDHAT

Timeline

Vulnerability published
Oct 6, 2014
Vulnerability Reserved
Dec 3, 2013