Primary

Context

Apache Shiro Cookie Vulnerability: Missing Secure Attribute in HTTPS Sessions

Vulnerability

Patched

A vulnerability exists in default configurations of Apache Shiro, where sensitive cookies are sent over HTTPS without the 'Secure' attribute. This issue affects versions 1.0 to 2.1.0, as well as 3.0.0-alpha-1. In these versions, the Shiro-native session manager and the Remember-Me manager transmit JSESSIONID and rememberMe cookies without the 'Secure' attribute by default.

Impact

The absence of the 'Secure' attribute allows cookies to be transmitted over unencrypted channels, increasing the risk of interception by attackers.

Remediation

Users are advised to upgrade to Apache Shiro version 2.1.1 or 3.0.0-alpha-2 or later, both of which address this vulnerability by including the 'Secure' attribute in cookies. Instructions for upgrading can be found in the Apache Shiro documentation.

Added: May 26, 2026, 6:25 PM

Updated: May 26, 2026, 6:25 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

4.0

remediation

7.7

relevance

9.4

threat

0.0

urgency

5.7

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

4.0

remediation

7.7

relevance

9.4

threat

0.0

urgency

5.7

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Shiro Cookie Vulnerability: Missing Secure Attribute in HTTPS Sessions

Vulnerability

Impact

Remediation

Affected Products

Apache Shiro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating