Apache Shiro versions 1.0.0-incubating through 1.2.4 suffer from an information disclosure vulnerability.
7f3f67607bcb0b11683159589f2327ab0253244f1398897c94b94f1c8ef20ce6
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
1.0.0-incubating - 1.2.4
Description:
A default cipher key is used for the "remember me" feature when not
explicitly configured. A request that included a specially crafted
request parameter could be used to execute arbitrary code or access
content that would otherwise be protected by a security constraint.
Mitigation:
Users should upgrade to 1.2.5 [1], ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]
All binaries (.jars) are available in Maven Central already.
References:
[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
securityManager.rememberMeManager = null