Recently shiro-1.5.2.jar is getting flagged for critical security vulnerability CVE-2020-11989.
Analysis shows that Geode does not use Shiro in a manner that would expose this vulnerability. The risk of bringing GEODE-8315 is very low (difference between Shiro 1.5.2 and 1.5.3 is bugfix only). GEODE-8315 has been on develop for 2 days and passed the pipeline. This fix is critical to avoid false positives in automated vulnerability scans, so it would be nice to bring before 1.13.0 release.
