Lucene search
This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.APACHE_SHIRO_CVE-2019-12422.NASLHistoryJun 01, 2022 - 12:00 a.m.
Apache Shiro < 1.4.2 Padding Attack
2022-06-0100:00:00
This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
Apache Shiro before 1.4.2, when using the default ‘remember me’ configuration, cookies could be susceptible to a padding attack.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(161730);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/02");
script_cve_id("CVE-2019-12422");
script_name(english:"Apache Shiro < 1.4.2 Padding Attack");
script_set_attribute(attribute:"synopsis", value:
"A Java security framework is affected by a padding attack vulnerability.");
script_set_attribute(attribute:"description", value:
"Apache Shiro before 1.4.2, when using the default 'remember me' configuration, cookies could be susceptible to a
padding attack.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://shiro.apache.org/security-reports.html#cve_2019_12422");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Shiro 1.4.2 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12422");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/18");
script_set_attribute(attribute:"patch_publication_date", value:"2019/11/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/06/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:shiro");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("shiro_jar_detection.nbin");
script_require_keys("installed_sw/Apache Shiro");
exit(0);
}
include('vcf.inc');
var app_info = vcf::get_app_info(app:'Apache Shiro');
var constraints = [
{'fixed_version' : '1.4.2'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);Related
prion
prion
Default configuration
2019-11-18 23:15:00
redhatcve
redhatcve
CVE-2019-12422
2019-11-20 20:07:26
osv
osv
Improper input validation in Apache Shiro
2020-02-04 22:36:36
CVE-2019-12422
2019-11-18 23:15:11
symantec
symantec
Apache Shiro CVE-2019-12422 Information Disclosure Vulnerability
2019-11-18 00:00:00
cvelist
cvelist
CVE-2019-12422
2019-11-18 22:04:21
veracode
veracode
Padding Oracle Attack
2019-11-19 06:49:41
github
github
Improper input validation in Apache Shiro
2020-02-04 22:36:36
cve
cve
CVE-2019-12422
2019-11-18 23:15:00
debiancve
debiancve
CVE-2019-12422
2019-11-18 23:15:00
ubuntucve
ubuntucve
CVE-2019-12422
2019-11-18 00:00:00
ibm
ibm
redhat
redhat
(RHSA-2020:0983) Important: Red Hat Fuse 7.6.0 security update
2020-03-26 15:40:22
Related for APACHE_SHIRO_CVE-2019-12422.NASL