org.apache.shiro:shiro-core 2.0.0-alpha-4

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shiro:shiro-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Session Fixation org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Session Fixation during the login operation in `DefaultSecurityManager.java` and `DefaultWebSecurityManager.java`. An attacker can hijack authenticated user sessions by reusing a valid session identifier after login. How to fix Session Fixation? Upgrade `org.apache.shiro:shiro-core` to version 2.2.0, 3.0.0-alpha-2 or higher.	[,2.2.0)[3.0.0-alpha-1,3.0.0-alpha-2)
M Sensitive Cookie in HTTPS Session Without "Secure" Attribute org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the form of `JSESSIONID` and `rememberMe` cookies lacking that attribute in the default configuration, in `DefaultSessionManager.java` and `DefaultWebSessionManager.java`. An attacker in a MitM position on an HTTPS route that is also accessible via HTTP can intercept these cookies. How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute? Upgrade `org.apache.shiro:shiro-core` to version 2.2.0, 3.0.0-alpha-2 or higher.	[,2.2.0)[3.0.0-alpha-0,3.0.0-alpha-2)
M Authentication Bypass by Alternate Name org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name while serving static files from a case-insensitive filesystems such as MacOS. An attacker can gain unauthorized access to static files by exploiting differences in filename case handling. How to fix Authentication Bypass by Alternate Name? Upgrade `org.apache.shiro:shiro-core` to version 2.1.0 or higher.	[,2.1.0)
L Timing Attack org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Timing Attack in the authentication process. An attacker can infer the existence of valid usernames by measuring response times during authentication attempts. How to fix Timing Attack? Upgrade `org.apache.shiro:shiro-core` to version 2.1.0 or higher.	[,2.1.0)

Vulnerability

Vulnerable Version

Session Fixation

org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Session Fixation during the login operation in DefaultSecurityManager.java and DefaultWebSecurityManager.java. An attacker can hijack authenticated user sessions by reusing a valid session identifier after login.

How to fix Session Fixation?

Upgrade org.apache.shiro:shiro-core to version 2.2.0, 3.0.0-alpha-2 or higher.

[,2.2.0)[3.0.0-alpha-1,3.0.0-alpha-2)

Sensitive Cookie in HTTPS Session Without "Secure" Attribute

org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the form of JSESSIONID and rememberMe cookies lacking that attribute in the default configuration, in DefaultSessionManager.java and DefaultWebSessionManager.java. An attacker in a MitM position on an HTTPS route that is also accessible via HTTP can intercept these cookies.

How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute?

Upgrade org.apache.shiro:shiro-core to version 2.2.0, 3.0.0-alpha-2 or higher.

[,2.2.0)[3.0.0-alpha-0,3.0.0-alpha-2)

Authentication Bypass by Alternate Name

org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name while serving static files from a case-insensitive filesystems such as MacOS. An attacker can gain unauthorized access to static files by exploiting differences in filename case handling.

How to fix Authentication Bypass by Alternate Name?

Upgrade org.apache.shiro:shiro-core to version 2.1.0 or higher.

[,2.1.0)

Timing Attack

org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Timing Attack in the authentication process. An attacker can infer the existence of valid usernames by measuring response times during authentication attempts.

How to fix Timing Attack?

Upgrade org.apache.shiro:shiro-core to version 2.1.0 or higher.

[,2.1.0)

org.apache.shiro:shiro-core@2.0.0-alpha-4

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically