I think it make sense to upgrade shiro, could you create a ticket for it. And welcome to create a PR to make contribution to Zeppelin.
한병익 <hiasinc...@gmail.com> 于2019年12月2日周一 下午9:38写道: > According to Apache Shiro official page's security-reports, there has > vulnerability when using the default “Remember Me” configuration, cookies > could be susceptible to a padding attack. > > Now, Zeppelin uses Apache Shiro version 1.3.2. I think it should be > updated to 1.4.2. > > cf) https://shiro.apache.org/security-reports.html > -- Best Regards Jeff Zhang