Jesse Yang

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions prior to 2.0.7 **Description** An authentication bypass issue exists in Apache Shiro. The issue relates to bypassing authentication when accessing static files on case-insensitive filesystems by varying the case of the filename in the request, if only lower-case filters are present in Shiro. The issue only affects static files. **Recommendations** Upgrade to version 2.0.7, which resolves the issue. Configure `filterChainResolver.caseInsensitive = true` in `shiro.ini`. Configure `shiro.caseInsensitive=true` in `application.properties`.

**Name of the Vulnerable Software and Affected Versions** jose4j versions prior to 0.9.4 **Description** The issue is related to the improper implementation of the PBES2 algorithm in the jose4j component when handling the `p2c` parameter. This can allow a remote attacker to cause a denial of service due to CPU consumption via a large `p2c` (aka PBES2 Count) value. **Recommendations** For versions prior to 0.9.4, update to version 0.9.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `p2c` parameter to minimize the risk of exploitation.