Bug 1072603 (CVE-2014-0074) - CVE-2014-0074 Apache Shiro: successful authentication without specifying user name or password
Summary: CVE-2014-0074 Apache Shiro: successful authentication without specifying user...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1059445 1072760 1113315
TreeView+ depends on / blocked
 
Reported: 2014-03-04 21:23 UTC by Martin Prpič
Modified: 2019-09-29 13:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.
Clone Of:
Environment:
Last Closed: 2014-10-09 18:24:51 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1351 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update 2014-10-01 22:10:39 UTC
Red Hat Product Errata RHSA-2014:1369 0 normal SHIPPED_LIVE Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update 2014-10-09 20:07:39 UTC

Description Martin Prpič 2014-03-04 21:23:16 UTC 
It was discovered [1] that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.

This issue has been fixed upstream in version 1.2.3 of Apache Shiro.

[1] https://issues.apache.org/jira/browse/SHIRO-460
[2] http://seclists.org/fulldisclosure/2014/Mar/22
Comment 2 David Jorm 2014-03-18 01:02:00 UTC 
Upstream patch commit:

http://svn.apache.org/viewvc?view=revision&revision=1572813
Comment 4 Martin Prpič 2014-09-29 11:58:05 UTC 
IssueDescription:

It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.
Comment 5 errata-xmlrpc 2014-10-01 18:10:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
Comment 6 errata-xmlrpc 2014-10-09 16:07:57 UTC 
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html
Note You need to log in before you can comment on or make changes to this bug.