Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

Apache Shiro is using a default rememberme cookie that is encrypted with a hardcoded encryption key. An attacker can create a malicious object, serialize it, encode it, then send it as a cookie. Shiro will then decode and deserialize it.


Upgrade to the latest version of Apache Shiro.


Related Vulnerabilities