Auth bypass in Apache Shiro

CVE-2014-0074

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Vulnerability class: Broken Authentication

EPSS: 0.003 (50.5th percentile) — read the EPSS interpretation.

Affected products

Apache Shiro — versions 1.0.0, 1.1.0, 1.2.0
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

20140303 [Announce] Apache Shiro 1.2.3 Released - Security Advisory (mailing-list, x_refsource_FULLDISC)
secalert@redhat.com (Exploit, x_refsource_MISC, Vendor Advisory)
RHSA-2014:1351 (x_refsource_REDHAT, vendor-advisory)