2 issues skipped by the security teams:
- CVE-2016-4437: Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
- CVE-2016-6802: Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/s/shiro.png){kind=link}