Apache Shiro prior to 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
apache shiro
debian debian linux 9.0