Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
1.3.2-41.3.2-4ubuntu0.11.3.2-4ubuntu0.21.3.2-41.3.2-51.3.2-6ubuntu11.3.2-6ubuntu11.3.2-6ubuntu21.2.4-11.2.4-1ubuntu0.1~esm11.2.4-1ubuntu0.1~esm21.3.2-21.3.2-3ubuntu0.18.04.1~esm11.3.2-3~18.041.3.2-3~18.04.11.3.2-51.3.2-5ubuntu0.24.04.1~esm1Exploitability
AV:NAC:LAT:PPR:NUI:AVulnerable System
VC:HVI:NVA:NSubsequent System
SC:LSI:NSA:NCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber