CVE-2019-12422: Input Validation

Reference Links

• https://www.cve.org/CVERecord?id=CVE-2019-12422 https://nvd.nist.gov/vuln/detail/CVE-2019-12422
• https://bugzilla.redhat.com/show_bug.cgi?id=1774726
• https://access.redhat.com/errata/RHSA-2020:0983
• https://access.redhat.com/security/cve/cve-2019-12422
• https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E
• https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E
• https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1774727
• https://access.redhat.com/support/policy/updates/jboss_notes
• https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c%40%3Cdev.shiro.apache.org%3E
• https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040%40%3Ccommits.shiro.apache.org%3E

Parent vulnerabilities

(Appears in the following advisories)

• RHSA-2020:0983

Frequently Asked Questions

• What is the vulnerability ID?

  The vulnerability ID is CVE-2019-12422.

• What is the title of the vulnerability?

  The title of the vulnerability is Apache Shiro before 1.4.2 when using the default remember me configuration cookies could be susceptible to a padding attack.

• What is the severity of CVE-2019-12422?

  The severity of CVE-2019-12422 is high (7.4).

• Which software is affected by CVE-2019-12422?

  Apache Shiro versions up to but not including 1.4.2 are affected.

• How can I fix CVE-2019-12422?

  To fix CVE-2019-12422, update Apache Shiro to version 1.4.2 or later.