{
  "modified": "2025-08-09T19:01:28Z",
  "published": "2014-10-06T14:55:08Z",
  "id": "CVE-2014-0074",
  "details": "Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.",
  "references": [
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://issues.apache.org/jira/browse/SHIRO-460"
    },
    {
      "type": "EVIDENCE",
      "url": "https://issues.apache.org/jira/browse/SHIRO-460"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Mar/22"
    }
  ]
}