Is it practical to look at separating the Spring library from the rest
of Shiro?
It seems like we see a fair number of vulnerabilities for the Spring
code which don't affect other modules / usage.
Best regards,
Philip Whitehouse
On 2021-09-16 21:19, Brian Demers wrote:
Description:
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a
specially crafted HTTP request may cause an authentication bypass.
Users should update to Apache Shiro 1.8.0.
Credit:
Apache Shiro would like to thank tsug0d for reporting this issue.