Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
Apache Shiro is using a default rememberme cookie that is encrypted with a hardcoded encryption key. An attacker can create a malicious object, serialize it, encode it, then send it as a cookie. Shiro will then decode and deserialize it.
- Upgrade to the latest version of Apache Shiro.
- WordPress Plugin VaultPress Man-in-The-Middle (MiTM) Remote Code Execution (1.8.6)
- Apache Struts 2 ClassLoader manipulation and denial of service
- Apache 2.x version older than 2.2.3
- WordPress Plugin File Gallery Remote Code Execution (1.7.9)
- WordPress Plugin EWWW Image Optimizer Remote Code Execution (2.8.3)