Apache

Shiro

26 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.42%
  • Veröffentlicht 25.06.2026 08:45:19
  • Zuletzt bearbeitet 25.06.2026 13:27:40

When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CV...

  • EPSS 0.2%
  • Veröffentlicht 25.06.2026 08:44:30
  • Zuletzt bearbeitet 25.06.2026 13:27:40

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from...

  • EPSS 0.49%
  • Veröffentlicht 17.06.2026 13:07:44
  • Zuletzt bearbeitet 17.06.2026 13:07:44

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special cha...

  • EPSS 0.35%
  • Veröffentlicht 25.05.2026 20:20:03
  • Zuletzt bearbeitet 28.05.2026 13:38:44

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect targe...

  • EPSS 0.38%
  • Veröffentlicht 25.05.2026 20:19:44
  • Zuletzt bearbeitet 28.05.2026 13:44:45

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro...

  • EPSS 0.27%
  • Veröffentlicht 25.05.2026 20:19:26
  • Zuletzt bearbeitet 28.05.2026 13:45:52

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 o...

  • EPSS 0.41%
  • Veröffentlicht 25.05.2026 20:19:03
  • Zuletzt bearbeitet 28.05.2026 13:47:12

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue....

  • EPSS 0.22%
  • Veröffentlicht 10.02.2026 09:25:51
  • Zuletzt bearbeitet 12.02.2026 15:30:25

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-e...

  • EPSS 0.36%
  • Veröffentlicht 09.02.2026 09:26:21
  • Zuletzt bearbeitet 11.02.2026 18:30:59

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files ar...

  • EPSS 1.18%
  • Veröffentlicht 15.01.2024 10:15:26
  • Zuletzt bearbeitet 03.11.2025 22:16:29

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `bloc...