← back
CVE-2016-4437

CVE-2016-4437

CVSS 9.8 CRITICALEPSS 93.1%● KEVCWE-321
In short

Apache Shiro's 'remember me' feature has a critical flaw: when no encryption key is set, attackers can forge login tokens to bypass authentication or run malicious code on the server. This is dangerous because the feature is commonly used and the default configuration leaves systems vulnerable.

Technical detail

CVE-2016-4437 exploits improper cryptographic key management in Apache Shiro's RememberMe functionality (CWE-321). When no cipher key is configured, the serialized authentication token lacks encryption, allowing remote attackers to craft malicious serialized objects via request parameters that achieve arbitrary code execution through deserialization gadgets or direct authentication bypass. No authentication is required to trigger this vulnerability.

Summary generated and translated by AI from the official description.
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found9
githubgithub.com/bkfish/Awesome_shiro55githubgithub.com/4nth0ny1130/shisoserial24githubgithub.com/pizza-power/CVE-2016-44372githubgithub.com/35789-gh/cve-2016-44371githubgithub.com/xk-mt/CVE-2016-44370githubgithub.com/m3terpreter/CVE-2016-44370exploitdbwww.exploit-db.com/exploits/48410unverifiedcve_referencepacketstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.htmlhttp://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2035.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2036.htmlhttps://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3Ehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437http://www.securityfocus.com/archive/1/538570/100/0/threadedhttp://www.securityfocus.com/bid/91024