Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.0.0-incubating - 1.2.4 Description: A default cipher key is used for the "remember me" feature when not explicitly configured. A request that included a specially crafted request parameter could be used to execute arbitrary code or access content that would otherwise be protected by a security constraint. Mitigation: Users should upgrade to 1.2.5 [1], ensure a secret cipher key is configured [2], or disable the "remember me" feature. [3] All binaries (.jars) are available in Maven Central already. References: [1] http://shiro.apache.org/download.html [2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues [3] If using a shiro.ini, "remember me" can be disabled adding the following config line in the '[main]' section: securityManager.rememberMeManager = null