James Love

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions 2.0-alpha through 2.1.0 Apache Shiro version 3.0.0-alpha-1 **Description** An issue exists in the shiro-jakarta-ee integration module where the `shiroSavedRequest` cookie is not validated after a successful login. This allows an attacker with valid credentials to forge the cookie, leading to URL Redirection to Untrusted Sites (Open Redirect) and Server-Side Request Forgery (SSRF), where the server is forced to send an HTTP GET request to an arbitrary URL. **Recommendations** Upgrade versions 2.0-alpha through 2.1.0 to version 2.1.1 or later. Upgrade version 3.0.0-alpha-1 to version 3.0.0-alpha-2 or later.