Lucene search
Veracode Vulnerability DatabaseVERACODE:21980HistoryNov 19, 2019 - 6:49 a.m.
Padding Oracle Attack
2019-11-1906:49:41
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
9
0.002 Low
EPSS
Percentile
56.9%
Apache Shiro is vulnerable to padding oracle attack. The attack is possible as it adopts RememberMe configuration for cookies as a default and uses CBC mode of encryption, which would allow an attacker to perform a Java deserialization attack that results in remote code execution.
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache shiro :: cryptography :: ciphers | le | 1.4.1 | |
| apache shiro :: cryptography :: ciphers | le | 1.4.1 |
References
issues.apache.org/jira/browse/SHIRO-721
lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E
lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E
meterpreter.org/unpatch-apache-shiro-padding-oracle-remote-code-execution-vulnerability-alert/
www.mail-archive.com/[email protected]/msg04944.html
Related
osv
osv
CVE-2019-12422
2019-11-18 23:15:11
Improper input validation in Apache Shiro
2020-02-04 22:36:36
github
github
Improper input validation in Apache Shiro
2020-02-04 22:36:36
nvd
nvd
CVE-2019-12422
2019-11-18 23:15:11
cvelist
cvelist
CVE-2019-12422
2019-11-18 22:04:21
symantec
symantec
Apache Shiro CVE-2019-12422 Information Disclosure Vulnerability
2019-11-18 00:00:00
redhatcve
redhatcve
CVE-2019-12422
2019-11-20 20:07:26
nessus
nessus
Apache Shiro < 1.4.2 Padding Attack
2022-06-01 00:00:00
prion
prion
Default configuration
2019-11-18 23:15:00
cve
cve
CVE-2019-12422
2019-11-18 23:15:11
ubuntucve
ubuntucve
CVE-2019-12422
2019-11-18 00:00:00
debiancve
debiancve
CVE-2019-12422
2019-11-18 23:15:11
ibm
ibm
redhat
redhat
(RHSA-2020:0983) Important: Red Hat Fuse 7.6.0 security update
2020-03-26 15:40:22