org.apache.shiro:shiro-web@2.2.1

  • latest version

    3.0.0

  • latest non vulnerable version

  • first published

    16 years ago

  • latest version published

    15 days ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.shiro:shiro-web package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Authentication Bypass by Alternate Name

    org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

    Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name in the shiro-guice module when deployed in a web servlet context. An attacker can gain unauthorized access by sending specially crafted HTTP requests.

    How to fix Authentication Bypass by Alternate Name?

    Upgrade org.apache.shiro:shiro-web to version 3.0.0 or higher.

    [2.0.0-alpha-1,3.0.0)
    • L
    Replay Attack

    org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

    Affected versions of this package are vulnerable to Replay Attack due to the server not verifying the expiration of the RememberMe cookie. An attacker can maintain unauthorized access by intercepting and reusing a valid cookie beyond its intended expiration. This is only exploitable if the RememberMe functionality is enabled.

    How to fix Replay Attack?

    Upgrade org.apache.shiro:shiro-web to version 3.0.0 or higher.

    [1.2.4,3.0.0)