{ "threat_severity" : "Important", "public_date" : "2014-03-04T00:00:00Z", "bugzilla" : { "description" : "Shiro: successful authentication without specifying user name or password", "id" : "1072603", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1072603" }, "cvss" : { "cvss_base_score" : "7.5", "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cwe" : "CWE-287", "details" : [ "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.", "It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds." ], "affected_release" : [ { "product_name" : "Fuse ESB Enterprise 7.1.0", "release_date" : "2014-10-09T00:00:00Z", "advisory" : "RHSA-2014:1369", "cpe" : "cpe:/a:redhat:fuse_esb_enterprise:7.1.0" }, { "product_name" : "Fuse Management Console 7.1.0", "release_date" : "2014-10-09T00:00:00Z", "advisory" : "RHSA-2014:1369", "cpe" : "cpe:/a:redhat:fuse_management_console:7.1.0" }, { "product_name" : "Fuse MQ Enterprise 7.1.0", "release_date" : "2014-10-09T00:00:00Z", "advisory" : "RHSA-2014:1369", "cpe" : "cpe:/a:redhat:fuse_mq_enterprise:7.1.0" }, { "product_name" : "Red Hat JBoss A-MQ 6.1", "release_date" : "2014-10-01T00:00:00Z", "advisory" : "RHSA-2014:1351", "cpe" : "cpe:/a:redhat:jboss_amq:6.1.0" }, { "product_name" : "Red Hat JBoss Fuse 6.1", "release_date" : "2014-10-01T00:00:00Z", "advisory" : "RHSA-2014:1351", "cpe" : "cpe:/a:redhat:jboss_fuse:6.1.0" } ], "package_state" : [ { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "shiro", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-0074\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0074" ], "name" : "CVE-2014-0074", "csaw" : false }