Apache Shiro versions prior to 1.3.2, when using a non-root servlet context path, allowed specifically crafted requests can be used to bypass some security servlet filters, resulting in unauthorized access.
922a5e1fd7a8d3e74cc2b4e09d237b3dd41e4acc621099a0adf20ff10239e9c8