org.apache.shiro:shiro-web 3.0.0-alpha-1

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shiro:shiro-web package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Session Fixation org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Session Fixation during the login operation in `DefaultSecurityManager.java` and `DefaultWebSecurityManager.java`. An attacker can hijack authenticated user sessions by reusing a valid session identifier after login. How to fix Session Fixation? Upgrade `org.apache.shiro:shiro-web` to version 2.2.0, 3.0.0-alpha-2 or higher.	[,2.2.0)[3.0.0-alpha-1,3.0.0-alpha-2)
M Sensitive Cookie in HTTPS Session Without "Secure" Attribute org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the form of `JSESSIONID` and `rememberMe` cookies lacking that attribute in the default configuration, in `DefaultSessionManager.java` and `DefaultWebSessionManager.java`. An attacker in a MitM position on an HTTPS route that is also accessible via HTTP can intercept these cookies. How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute? Upgrade `org.apache.shiro:shiro-web` to version 2.2.0, 3.0.0-alpha-2 or higher.	[,2.2.0)[3.0.0-alpha-0,3.0.0-alpha-2)

Vulnerability

Vulnerable Version

Session Fixation

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Session Fixation during the login operation in DefaultSecurityManager.java and DefaultWebSecurityManager.java. An attacker can hijack authenticated user sessions by reusing a valid session identifier after login.

How to fix Session Fixation?

Upgrade org.apache.shiro:shiro-web to version 2.2.0, 3.0.0-alpha-2 or higher.

[,2.2.0)[3.0.0-alpha-1,3.0.0-alpha-2)

Sensitive Cookie in HTTPS Session Without "Secure" Attribute

org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the form of JSESSIONID and rememberMe cookies lacking that attribute in the default configuration, in DefaultSessionManager.java and DefaultWebSessionManager.java. An attacker in a MitM position on an HTTPS route that is also accessible via HTTP can intercept these cookies.

How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute?

Upgrade org.apache.shiro:shiro-web to version 2.2.0, 3.0.0-alpha-2 or higher.

[,2.2.0)[3.0.0-alpha-0,3.0.0-alpha-2)

org.apache.shiro:shiro-web@3.0.0-alpha-1

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically