Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
Created shiro tracking bugs for this issue:
Affects: fedora-all [bug 1774727]
This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse 6
* Red Hat JBoss Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):