{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-03-03T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-10-06T13:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "20140303 [Announce] Apache Shiro 1.2.3 Released - Security Advisory", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Mar/22"}, {"tags": ["x_refsource_MISC"], "url": "https://issues.apache.org/jira/browse/SHIRO-460"}, {"name": "RHSA-2014:1351", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:05:38.510Z"}, "title": "CVE Program Container", "references": [{"name": "20140303 [Announce] Apache Shiro 1.2.3 Released - Security Advisory", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Mar/22"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.apache.org/jira/browse/SHIRO-460"}, {"name": "RHSA-2014:1351", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0074", "datePublished": "2014-10-06T14:00:00.000Z", "dateReserved": "2013-12-03T00:00:00.000Z", "dateUpdated": "2024-08-06T09:05:38.510Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:shiro:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "1593675C-A4A3-4EBF-B7E0-40287055FBC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EB73A4C6-E13B-41FB-A985-A922AC93E710", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "75049BAF-B1F1-4AD4-89CA-CAB59A4D8FC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "04EC6B5A-24AF-45A7-9759-082CCB006F65", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "97A620B6-F598-4C13-916F-B66521335687", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password."}, {"lang": "es", "value": "Apache Shiro 1.x anterior a 1.2.3, cuando se utiliza un servidor LDAP con bind no autenticado habilitado, permite a atacantes remotos evadir la autenticaci\u00f3n a trav\u00e9s de (1) un nombre de usuario vaci\u00f3 o (2) una contrase\u00f1a vac\u00eda."}], "id": "CVE-2014-0074", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-06T14:55:08.063", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2014/Mar/22"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/SHIRO-460"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2014/Mar/22"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/SHIRO-460"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2014:1369", "cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0", "product_name": "Fuse ESB Enterprise 7.1.0", "release_date": "2014-10-09T00:00:00Z"}, {"advisory": "RHSA-2014:1369", "cpe": "cpe:/a:redhat:fuse_management_console:7.1.0", "product_name": "Fuse Management Console 7.1.0", "release_date": "2014-10-09T00:00:00Z"}, {"advisory": "RHSA-2014:1369", "cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0", "product_name": "Fuse MQ Enterprise 7.1.0", "release_date": "2014-10-09T00:00:00Z"}, {"advisory": "RHSA-2014:1351", "cpe": "cpe:/a:redhat:jboss_amq:6.1.0", "product_name": "Red Hat JBoss A-MQ 6.1", "release_date": "2014-10-01T00:00:00Z"}, {"advisory": "RHSA-2014:1351", "cpe": "cpe:/a:redhat:jboss_fuse:6.1.0", "product_name": "Red Hat JBoss Fuse 6.1", "release_date": "2014-10-01T00:00:00Z"}], "bugzilla": {"description": "Shiro: successful authentication without specifying user name or password", "id": "1072603", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072603"}, "csaw": false, "cvss": {"cvss_base_score": "7.5", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-287", "details": ["Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.", "It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds."], "name": "CVE-2014-0074", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6.0", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-esb-7.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Will not fix", "package_name": "shiro", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2014-03-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-0074\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0074"], "threat_severity": "Important"}