Lprimak

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions 1.* Apache Shiro versions 2.* through 2.0.6 **Description** An observable timing discrepancy exists in Apache Shiro. Before version 2.0.7, the code paths used for non-existent and existing users differ sufficiently, allowing a brute-force attack to determine if a request fails due to an invalid user or an incorrect password by measuring request timing. The most likely attack vector is a local attack. This issue is related to username enumeration, as discussed in the Shiro security model. Brute force attacks can typically be mitigated at the infrastructure level. **Recommendations** Upgrade to Apache Shiro version 2.0.7 or later.