Critical severity9.8CISA KEVNVD Advisory· Published Jun 7, 2016· Updated Apr 22, 2026
CVE-2016-4437
CVE-2016-4437
Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.2.5 | 1.2.5 |
Affected products
4- cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
Patches
2b009191cf66abf1e04fca099Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.htmlnvdThird Party AdvisoryVDB EntryWEB
- rhn.redhat.com/errata/RHSA-2016-2035.htmlnvdThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2016-2036.htmlnvdThird Party AdvisoryWEB
- www.securityfocus.com/archive/1/538570/100/0/threadednvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/bid/91024nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-p836-389h-j692ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4437ghsaADVISORY
- lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3EnvdMailing ListWEB
- lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3EghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
News mentions
0No linked articles in our index yet.