MEDIUM

GHSA-c6r4-qjmw-cvj2

Apache Shiro sends sensitive cookies in HTTPS session without 'Secure' attribute

상세

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Maven / org.apache.shiro:shiro-web

최초 영향 버전: 1.0.0-incubating 수정 버전: 2.2.0

수정 # pom.xml: bump <version>2.2.0</version> for org.apache.shiro:shiro-web

Maven / org.apache.shiro:shiro-web

최초 영향 버전: 3.0.0-alpha-1 수정 버전: 3.0.0-alpha-2

수정 # pom.xml: bump <version>3.0.0-alpha-2</version> for org.apache.shiro:shiro-web

참고

https://nvd.nist.gov/vuln/detail/CVE-2026-43828 [ADVISORY]
https://github.com/apache/shiro [PACKAGE]
https://shiro.apache.org/security-reports.html#cve_2026_43828 [WEB]
http://www.openwall.com/lists/oss-security/2026/05/25/7 [WEB]