Padding Attack Vulnerability in Apache Shiro by The Apache Software Foundation
CVE-2019-12422

7.5HIGH

Key Information:

Vendor: Apache
Status: Shiro
Vendor: CVE Published:; 18 November 2019

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in Apache Shiro versions prior to 1.4.2, specifically related to the default 'remember me' cookie configuration. This flaw can allow attackers to exploit padding oracle attacks, potentially compromising sensitive user data stored in cookies. It is crucial for administrators using affected versions to apply updates to safeguard against exploitation and ensure robust web application security.

Affected Version(s)

Shiro to 1.4.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

RuoYI-4.2-Shiro-721-Docker-PoC
Created by BaiHLiu

References

https://lists.apache.org/thread.html/c9db14cfebfb8e742058...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r2d2612c034ab21a3a19...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 8, 2024
👾
Exploit known to exist
Nov 8, 2024
Vulnerability published
Nov 18, 2019
Vulnerability Reserved
May 28, 2019