{
  "threat_severity" : "Important",
  "public_date" : "2016-06-03T00:00:00Z",
  "bugzilla" : {
    "description" : "shiro: Security constraint bypass",
    "id" : "1343346",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1343346"
  },
  "cvss" : {
    "cvss_base_score" : "6.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-287",
  "details" : [ "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content." ],
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6.3",
    "release_date" : "2016-10-06T00:00:00Z",
    "advisory" : "RHSA-2016:2036",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.3"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.3",
    "release_date" : "2016-10-06T00:00:00Z",
    "advisory" : "RHSA-2016:2035",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6",
    "fix_state" : "Affected",
    "package_name" : "shiro-core",
    "cpe" : "cpe:/a:redhat:jboss_amq:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "shiro-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Affected",
    "package_name" : "shiro-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Affected",
    "package_name" : "shiro-core",
    "cpe" : "cpe:/a:redhat:openshift:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4437\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4437\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ],
  "name" : "CVE-2016-4437",
  "csaw" : false
}