{"id":"CVE-2014-0074","details":"Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.","modified":"2026-04-10T03:43:31.641190Z","published":"2014-10-06T14:55:08Z","references":[{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2014-1351.html"},{"type":"ADVISORY","url":"https://issues.apache.org/jira/browse/SHIRO-460"},{"type":"EVIDENCE","url":"https://issues.apache.org/jira/browse/SHIRO-460"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2014/Mar/22"}],"schema_version":"1.7.5"}