I. Overview

Apache Shiro has recently released a security notice disclosing an authentication bypass vulnerability in Apache Shiro versions earlier than 1.6.0. Attackers can send specially crafted HTTP requests to bypass identity authentication.

If you are an Apache Shiro user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Shiro earlier than 1.6.0

Secure versions:

Apache Shiro 1.6.0

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version 1.6.0. If your version falls into the affected range, upgrade it to the secure version.

Download link: https://github.com/apache/shiro/releases

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.