The vulnerability arises because Shiro's native session and Remember‑Me cookie managers, by default, do not set the Secure attribute. As a result, the JSESSIONID and rememberMe cookies are sent over HTTPS sessions without the Secure flag, potentially allowing them to traverse insecure network paths or be exposed in environments lacking strict transport controls. This omission, a CWE‑614 weakness, enables an attacker to intercept these cookies and impersonate authenticated users, which can lead to unauthorized access to the application.

The issue affects Apache Shiro releases from 1.0 up through 2.1.0, as well as the 3.0.0‑alpha‑1 snapshot. The advisory recommends upgrading to 2.1.1 or to 3.0.0‑alpha‑2 and later, which include the Secure flag implementation for both session and remember‑me cookies. Until the upgrade or configuration change is applied, the affected versions remain vulnerable.

The CVSS base score of 5.9 denotes medium severity. No EPSS value is reported, so the exploitation likelihood remains uncertain. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that an attacker could capture traffic between a legitimate client and the Shiro‑protected service and replay a captured JSESSIONID or rememberMe cookie to hijack the session. Network security controls such as enforcing HTTPS for all traffic and deploying HTTP Strict Transport Security (HSTS) can mitigate the threat.