CVE-2014-0074

Apache Shiro <1.2.3 - Auth Bypass

Title source: llm

Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

References (3)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-1351.html

[Mailing List] http://seclists.org/fulldisclosure/2014/Mar/22

[Exploit, Vendor Advisory] https://issues.apache.org/jira/browse/SHIRO-460

Scores

EPSS 0.0027

EPSS Percentile 49.9%

Classification

CWE

CWE-287

Status draft

Affected Products (5)

apache/shiro

Timeline

Published Oct 06, 2014

Tracked Since Feb 18, 2026