Brian Demers

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions 1.13.0 and earlier, or 2.0.0-alpha-4 and earlier **Description** The issue is related to a path traversal attack that can result in an authentication bypass when used together with path rewriting. This can allow a remote attacker to bypass the authentication process by sending specially crafted requests. **Recommendations** Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions prior to 1.6.0 **Description** The issue is related to weaknesses in the authentication procedure of the Apache Shiro framework. It may allow a remote attacker to bypass existing security restrictions by sending a specially crafted HTTP request. **Recommendations** For versions prior to 1.6.0, update to version 1.6.0 or later to resolve the issue.