You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by Brian Demers <bd...@apache.org> on 2020/08/17 17:17:10 UTC

[ANNOUNCE][CVE-2020-13933] Apache Shiro 1.6.0 released

The Shiro team is pleased to announce the release of Apache Shiro version
1.6.0.

This security release contains 5 fixes since the 1.5.3 release [1] and is
available for Download now [2].

    CVE-2020-13933:
    Apache Shiro before 1.6.0, when using Apache Shiro,
    a specially crafted HTTP request may cause an authentication bypass.

    Thanks to codeplutos @ antfin non-attack security lab for responsibly
reporting this issue and working with us as we addressed it.

A new feature named "Global Filters" has been introduced to help
mitigate this type of issue [3].

Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.

For more information on Shiro, please read the documentation[3].

-The Apache Shiro Team

[1]
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12348623&styleName=Text&projectId=12310950
[2] http://shiro.apache.org/download.html
[3] https://shiro.apache.org/web.html#Web-globalFilters
[4] http://shiro.apache.org/documentation.html