Description
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
Active
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Scope
None
AU
Y
V
D
RE
Low
U
Green
Affected products
- Apache Software Foundation / Apache Shiro1.2.4 – 2.99.99
- Apache Software Foundation / Apache Shiro3.0.0-alpha-0 – 3.0.0-alpha-1