Last checked and updated on 09 Jun 2026
What Is New in Apache Shiro 1.4
This release focuses on dependency upgrades, security fixes, and minor API improvements. Here's a quick summary of the key changes.
| Category | Description |
|---|---|
| Security Fixes | Patches for CVE-2020-13933 and CVE-2020-17523 |
| Dependency Upgrades | Updated dependencies like Ehcache, Hazelcast, and Jedis |
| Bug Fixes | Resolved issues with RememberMe and session handling |
| Improvements | Enhanced documentation and test coverage |
What security vulnerabilities were addressed?
Shiro 1.4.2 patches two critical security vulnerabilities. CVE-2020-13933 fixed an authentication bypass issue in the Apache Shiro Spring Boot starter. CVE-2020-17523 resolved a problem where Shiro's authentication logic could be manipulated through specific HTTP request sequencing.
In practice, these CVEs were serious because they could allow an attacker to bypass security controls entirely. The fixes ensure that authentication and request handling work as intended without unexpected loopholes.
Which dependencies got updated?
The release includes necessary bumps for several third-party libraries. This matters because it keeps integrations with caching and data storage systems stable and secure.
- Ehcache to 2.10.6.2
- Hazelcast to 3.12.8
- Jedis to 3.3.0
- Httpclient to 4.5.12
- Guava to 28.2-jre
These updates primarily address potential security issues within the dependencies themselves, not necessarily Shiro's direct code.
Were there any RememberMe fixes?
Yes, a key bug was fixed where a RememberMe authentication token would not be considered during a session restart. This could cause a user to be unexpectedly logged out even when a valid remember-me cookie was present.
The fix ensures the token is properly recognized and honored, making the user experience more consistent. This was a behavioral correction rather than a security patch.
FAQ
Is this a mandatory upgrade from Shiro 1.4.1?
Yes, if you are using the Spring Boot starter or are concerned about the authentication bypass vulnerabilities (CVE-2020-13933, CVE-2020-17523). For other users, it's a recommended upgrade for the latest dependency fixes.
Does the Ehcache update change how Shiro works with caching?
No, the update to Ehcache 2.10.6.2 is a drop-in replacement for the previous version. The API remains the same, so your configuration and code should continue to work without modification.
What was the core issue with CVE-2020-17523?
The vulnerability involved Shiro's response to a specific sequence of HTTP requests. Under certain conditions, an attacker could manipulate the flow to bypass intended access controls, making the patch essential for correct security enforcement.
I don't use Spring Boot. Do I need to upgrade?
While CVE-2020-13933 specifically targeted the Spring Boot starter, the other fixes (like CVE-2020-17523 and the dependency upgrades) are framework-agnostic. Upgrading is still a good practice for overall stability.
Are there any breaking API changes in 1.4.2?
No, this is a patch release within the 1.4.x line. The changes are focused on security patches, bug fixes, and dependency management, so existing APIs remain stable and compatible.