{"id":"CVE-2016-4437","details":"Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.","aliases":["GHSA-p836-389h-j692"],"modified":"2026-04-10T03:51:29.634915Z","published":"2016-06-07T14:06:13.247Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2035.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2036.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/archive/1/538570/100/0/threaded"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91024"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/aurora","events":[{"introduced":"fc8697aa0fee97cb587f21334ca58b40546f3e76"},{"fixed":"b009191cf66aa73c5ed85ccfd5d5e322efa11c74"}],"database_specific":{"versions":[{"introduced":"0.10.0"},{"fixed":"0.18.1"}]}},{"type":"GIT","repo":"https://github.com/apache/shiro","events":[{"introduced":"0"},{"fixed":"bf1e04fca099ca6fd1a9a16da1aea04a5bb8f404"},{"introduced":"0"},{"last_affected":"fd7518510dc9c0edc2eabdcc1c1a0708bb5fa421"},{"introduced":"0"},{"last_affected":"fd7518510dc9c0edc2eabdcc1c1a0708bb5fa421"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.5"},{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"1.0"}]}}],"versions":["shiro-root-1.0.0-incubating"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4437.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}