Apache Tomcat Session Fixation Vulnerability (Windows) Network Vulnerability

Summary

The host is running Apache Tomcat Server and is prone to session fixation vulnerability.

Impact

Successful exploitation will allow attackers to conduct session fixation attacks to hijack the target user's session. Impact Level: Application

Solution

Apply patch or upgrade Apache Tomcat to 7.0.33 or 6.0.37 or later, For updates refer to http://tomcat.apache.org ***** NOTE: Ignore this warning, if above mentioned patch is manually applied. *****

Insight

Flaw due to improper validation of session cookies in the FormAuthenticator module in 'java/org/apache/catalina/authenticator/FormAuthenticator.java'.

Affected

Apache Tomcat version 6.0.21 before 6.0.37 and 7.x before 7.0.33

References

http://svn.apache.org/viewvc?view=revision&revision=1408044
http://svn.apache.org/viewvc?view=revision&revision=1417891
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://xforce.iss.net/xforce/xfdb/84154

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-2067

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache 'Options' and 'AllowOverride' Directives Security Bypass Vulnerability
IBM WebSphere Application Server Administration Directory Traversal Vulnerability
Check for dangerous IIS default files
IBM WebSphere Application Server (WAS) Multiple Vulnerabilities 02 - March 2011
Arbor Networks Peakflow SP 'index/' Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities