Apache Shiro
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Shiro.
Known Exploited Apache Shiro Vulnerabilities
The following Apache Shiro vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apache Shiro 1.2.4 Cookie RememberME Deserial Remote Code Execution Vulnerability |
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. CVE-2016-4437 Exploit Probability: 94.3% |
November 3, 2021 |
The vulnerability CVE-2016-4437: Apache Shiro 1.2.4 Cookie RememberME Deserial Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2025 there have been 0 vulnerabilities in Apache Shiro. Last year, in 2024 Shiro had 1 security vulnerability published. Right now, Shiro is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 1 | 6.50 |
| 2023 | 2 | 7.95 |
| 2022 | 2 | 9.80 |
| 2021 | 2 | 9.80 |
| 2020 | 4 | 9.23 |
| 2019 | 1 | 7.50 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Shiro vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Shiro Security Vulnerabilities
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack
CVE-2023-46749
6.5 - Medium
- January 15, 2024
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
Directory traversal
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro
CVE-2023-46750
6.1 - Medium
- December 14, 2023
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
Open Redirect
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack
CVE-2023-34478
9.8 - Critical
- July 24, 2023
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Directory traversal
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including
CVE-2022-40664
9.8 - Critical
- October 12, 2022
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
authentification
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers
CVE-2022-32532
9.8 - Critical
- June 29, 2022
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
AuthZ
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
CVE-2021-41303
9.8 - Critical
- September 17, 2021
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Apache Shiro before 1.7.1
CVE-2020-17523
9.8 - Critical
- February 03, 2021
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
authentification
Apache Shiro before 1.7.0
CVE-2020-17510
9.8 - Critical
- November 05, 2020
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
authentification
Apache Shiro before 1.6.0
CVE-2020-13933
7.5 - High
- August 17, 2020
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Apache Shiro before 1.5.3
CVE-2020-11989
9.8 - Critical
- June 22, 2020
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Apache Shiro before 1.5.2
CVE-2020-1957
9.8 - Critical
- March 25, 2020
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Apache Shiro before 1.4.2
CVE-2019-12422
7.5 - High
- November 18, 2019
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature
CVE-2016-4437
9.8 - Critical
- June 07, 2016
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Fuse or by Apache? Click the Watch button to subscribe.
