Fork me on GitHub

Apache Shiro Logo Simple. Java. Security. Apache Software Foundation Event Banner

1.9.1 available with fix CVE-2022-32532

Published by  on the

The Shiro team is pleased to announce the release of Apache Shiro version 1.9.1. This is a feature release for 1.x.

This release solves 6 issues since the 1.9.1 release and is available for download now.

All changes

You can learn more on Jira, Release 1.9.1.

CVE-2022-32532

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Credit: Apache Shiro would like the thank 4ra1n for reporting this issue.

Bug

  • [SHIRO-829] - beanPostProcessor and FactoryBean cause aop to fail in the same Configuration

  • [SHIRO-845] - Dependencies for test-jars missing

Improvement

  • [SHIRO-871] - ActiveDirectoryRealm - append suffix only if missing from username

  • [SHIRO-872] - fix Reproducible Builds issues

  • [SHIRO-883] - Add support for case insensitive regex path matching

Dependency upgrade

  • [SHIRO-878] - Update Spring Dependencies to 5.2.20

  • [SHIRO-882] - Upgrade to apache pom parent 26

  • [SHIRO-881] - pom.xml in samples/web may lack dependency

Download

Download and verification instructions are available on our download page.

Documentation

For more information on Shiro, please read the documentation.

Enjoy!

The Apache Shiro Team