Impact
The remember‑me cookie expiration is not validated server‑side, allowing an attacker who obtains a valid cookie to replay it indefinitely. This permits unauthorized session persistence and potential impersonation of legitimate users. The flaw aligns with CWE‑294.
Affected Systems
Apache Shiro versions 1.2.4 through 2.x and 3.0.0‑alpha‑1 are affected when RememberMe is enabled. All newer releases starting at 3.0.0 address this flaw.
Risk and Exploitability
The CVSS score of 2 indicates low severity, and the EPSS score is unavailable, suggesting limited exploitation evidence. The vulnerability is not listed in KEV. An attacker requires only a captured cookie to exploit, lacking any privileged conditions; impact is confined to session hijacking. Given the low severity, monitoring and patching remain prudent.
OpenCVE Enrichment