CVE-2014-0074
Apache Shiro 1.x < 1.2.3 - Authentication Bypass via Empty LDAP Credentials
Title source: llmDescription
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1351.html
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Mar/22
Exploit, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/SHIRO-460
Scores
EPSS
0.0027
EPSS Percentile
50.3%
Details
CWE
CWE-287
Status
published
Products (5)
apache/shiro
1.0.0
apache/shiro
1.1.0
apache/shiro
1.2.0
apache/shiro
1.2.1
apache/shiro
1.2.2
Published
Oct 06, 2014
Tracked Since
Feb 18, 2026