Session Fixation

Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Session Fixation during the login operation in...

Sensitive Cookie in HTTPS Session Without "Secure" Attribute

Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the for...

ca.ibodrov.concord:testcontainers-concord-core (>=2.0.3 <=2.0.5), ca.ibodrov.mica.docker:mica-standalone (>=0.0.27 <=0.0.34) +270 more potentially affected by CVE-2026-23901 via org.apache.shiro:shiro-core (>=2.0.0-alpha-1 <=2.0.6)

org.apache.shiro:shiro-core MAVEN version =2.0.0-alpha-1, =2.0.3, =0.0.27, =0.0.27, =0.0.27, =6.0.0, =8.0.0, =8.0.0, =2.2.0, =1.0.2, =3.4.0, =3.3.0, =3.3.0, =3.3.0, =3.3.0, =3.8.0 and more Source cves: CVE-2026-23901 Source advisory: SNYK:JAVA-ORGAPACHESHIRO-15253618...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +3101 more potentially affected by CVE-2026-23901 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=2.0.6)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.27, =0.0.2, =0.0.27, =0.0.1, =1.0.2, =1.0.0, =1.0.5 and more Source cves: CVE-2026-23901 Source advisory: OSV:GHSA-C4QC-4Q9P-M9Q9...

Timing Attack

Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Timing Attack in the authentication process. An attacker can infer the...

ca.ibodrov.concord:testcontainers-concord-core (>=2.0.3 <=2.0.5), ca.ibodrov.mica.docker:mica-standalone (>=0.0.27 <=0.0.34) +270 more potentially affected by CVE-2026-23903 via org.apache.shiro:shiro-core (>=2.0.0-alpha-1 <=2.0.6)

org.apache.shiro:shiro-core MAVEN version =2.0.0-alpha-1, =2.0.3, =0.0.27, =0.0.27, =0.0.27, =6.0.0, =8.0.0, =8.0.0, =2.2.0, =1.0.2, =3.4.0, =3.3.0, =3.3.0, =3.3.0, =3.3.0, =3.8.0 and more Source cves: CVE-2026-23903 Source advisory: SNYK:JAVA-ORGAPACHESHIRO-15253617...

Authentication Bypass by Alternate Name

Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name while serving static files from...

Security Bulletin: IBM® Engineering Requirements Management DOORS/DWA vulnerabilities addressed in 9.7.2.8

Summary Third party reported 'Stored XSS' and 'CSRF' issues, Apache Tomcat, Apache ActiveMQ, CKEditor, libcURL, xmlbeans, scala-library, json-smart, jna-platform, jackson-databind, commons-io, shiro-core, commons-net, snappy-java, xercesImpl are identified as vulnerable components with multiple...

ca.ibodrov.concord:testcontainers-concord-core (>=2.0.0 <=2.0.2), ca.ibodrov.mica:mica-concord-server-plugin (>=0.0.2 <=0.0.21) +496 more potentially affected by CVE-2023-46749 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.12.0)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =2.0.0, =0.0.2, =5.1.0, =5.1.0, =5.1.0, =6.5.28, =6.5.28, =6.5.28, =6.5.28, =6.5.28, =2.2.0, =2.2.0, =2.2.0, =2.3.1 and more Source cves: CVE-2023-46749 Source advisory: OSV:GHSA-JC7H-C423-MPJC...

org.apache.camel:camel-shiro (=2.5.0), org.apache.shiro.samples:samples-aspectj (=1.0.0-incubating) +29 more potentially affected by CVE-2022-40664 via org.apache.shiro:shiro-core (=1.0.0-incubating)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.shiro:shiro-core and may be impacted: - org.apache.camel:camel-shiro =2.5.0 - org.apache.shiro.samples:samples-aspectj...

Authorization Bypass

shiro-core is vulnerable to authorization bypass. The vulnerability exists due to the case-insensitive regex pattern matching used in the matches function of RegExPatternMatcher.java, allowing an attacker to bypass the servlet container when RegExPatternMatcher with . in the regular expression...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +3017 more potentially affected by CVE-2022-32532 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.9.0)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.2, =0.0.1, =1.0.2, =1.0.0, =1.0.0, =2.0.0 - cn.acooly:acooly-auth-wechat-authenticator =5.2.1 and more Source cves: CVE-2022-32532 Source advisory: OSV:GHSA-4CF5-XMHP-3XJ7...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +1469 more potentially affected by CVE-2016-4437 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.2.4)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =2.0.0, =0.0.2, =0.1, =0.1, =0.1, =2.1.0-RELEASE, =1.0, =1.0.3 - cn.org.awcp:awcp-formdesigner-application =1.0-RELEASE - cn.org.awcp:awcp-formdesigner-applicationImpl =1.0-RELEASE -...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +2973 more potentially affected by CVE-2021-41303 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.7.1)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.2, =0.0.1, =1.0.2, =1.0.0, =1.0.5 - cn.acooly:acooly-auth-wechat-authenticator =5.2.1 - cn.chenzw.toolkit:toolkit =1.0.3-a and more Source cves: CVE-2021-41303 Source advisory:...

Moderate: Red Hat Security Advisory: Red Hat Fuse 7.9.0 release and security update

A minor version update from 7.8 to 7.9 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +2823 more potentially affected by CVE-2020-13933 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.5.3)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.2, =0.0.1, =1.0.0, =0.1, =0.1, =0.2 and more Source cves: CVE-2020-13933 Source advisory: OSV:GHSA-2VGM-WXR3-6W2J...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +2724 more potentially affected by CVE-2020-1957 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.5.1)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.2, =0.0.1, =1.0.0, =0.1, =0.1, =0.1, =0.2 and more Source cves: CVE-2020-1957 Source advisory: OSV:GHSA-26GR-CVQ3-QXGF...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +2748 more potentially affected by CVE-2020-11989 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.5.2)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.2, =0.0.1, =1.0.0, =0.1, =0.1, =0.1, =0.2 and more Source cves: CVE-2020-11989 Source advisory: OSV:GHSA-72W9-FCJ5-3FCG...

Authentication Bypass

shiro-core is vulnerable to authentication bypass. The vulnerability exists through a HTTP request that could bypass the path matching checks...

Important: Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R18 security and bug fix update

An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...