Apache Shiro versions prior to 1.3.2, when using a non-root servlet context path, allowed specifically crafted requests can be used to bypass some security servlet filters, resulting in unauthorized access.
922a5e1fd7a8d3e74cc2b4e09d237b3dd41e4acc621099a0adf20ff10239e9c8
The Shiro team is pleased to announce the release of Apache Shiro version 1.3.2.
This security release contains 1 fix since the 1.3.1 release and is
available for Download now [1].
CVE-2016-6802:
Apache Shiro before 1.3.2, when using a non-root servlet context path,
specifically crafted requests can be used to by pass some security servlet
filters, resulting in unauthorized access.
Release binaries (.jars) are also available through Maven Central and
source bundles through Apache distribution mirrors.
For more information on Shiro, please read the documentation[2].
-The Apache Shiro Team
[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/documentation.html