Remember-me cookie isn't checked for expiry on the server
Summary
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue. Red Hat severity: Low — CVSS 3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N). Weakness: CWE-294. Affected Red Hat products: Red Hat Fuse 7; Red Hat JBoss Enterprise Application Platform Expansion Pack. Red Hat does not currently list a fixing RHSA for this CVE.
- 1.2.4
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.