Advisories for Maven/Org.apache.shiro/Shiro-Core package

2026

Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1., 2. before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. …

2024

Apache Shiro vulnerable to path traversal

Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).

2023

Interpretation Conflict

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher

2022

Advisories for Maven/Org.apache.shiro/Shiro-Core package

Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability

Apache Shiro vulnerable to path traversal

Interpretation Conflict

Improper Authentication

Incorrect Authorization

Improper Access Control in Apache Shiro

Improper Authentication

Improper Authentication in Apache Shiro

Authentication bypass in Apache Shiro

Improper Authentication

Improper input validation in Apache Shiro