CVE-2014-0074

CVE-2014-0074

EPSS 5.5%

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Affected products

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://rhn.redhat.com/errata/RHSA-2014-1351.html http://seclists.org/fulldisclosure/2014/Mar/22 https://issues.apache.org/jira/browse/SHIRO-460