CVE-2019-12422

Name of the Vulnerable Software and Affected Versions Apache Shiro versions prior to 1.4.2

Description The issue is related to the use of the default "remember me" configuration in Apache Shiro, which can make cookies susceptible to a padding attack. This could allow a remote attacker to impact the integrity of cookie files.

Recommendations For versions prior to 1.4.2, update to version 1.4.2 or later to resolve the issue. As a temporary workaround, consider disabling the default "remember me" configuration until a patch is available. Restrict access to sensitive areas of the application that rely on cookie-based authentication to minimize the risk of exploitation.