Unrated severityNVD Advisory· Published Oct 6, 2014· Updated May 6, 2026

CVE-2014-0074

Description

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Affected products

Apache/Shiro5 versions
cpe:2.3:a:apache:shiro:1.0.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:apache:shiro:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

issues.apache.org/jira/browse/SHIRO-460nvdExploitVendor Advisory
rhn.redhat.com/errata/RHSA-2014-1351.htmlnvd
seclists.org/fulldisclosure/2014/Mar/22nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000