PT-2026-43119 · Apache · Apache Shiro+1
Meteor_Kai
·
Published
2026-05-25
·
Updated
2026-05-25
·
CVE-2026-43828
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Shiro
Shiro