Apache Tomcat Session Fixation Vulnerability (Windows) Network Vulnerability

Summary

The host is running Apache Tomcat Server and is prone to session fixation vulnerability.

Impact

Successful exploitation will allow attackers to conduct session fixation attacks to hijack the target user's session. Impact Level: Application

Solution

Apply patch or upgrade Apache Tomcat to 7.0.33 or 6.0.37 or later, For updates refer to http://tomcat.apache.org ***** NOTE: Ignore this warning, if above mentioned patch is manually applied. *****

Insight

Flaw due to improper validation of session cookies in the FormAuthenticator module in 'java/org/apache/catalina/authenticator/FormAuthenticator.java'.

Affected

Apache Tomcat version 6.0.21 before 6.0.37 and 7.x before 7.0.33

References

http://svn.apache.org/viewvc?view=revision&revision=1408044
http://svn.apache.org/viewvc?view=revision&revision=1417891
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://xforce.iss.net/xforce/xfdb/84154

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-2067

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

HttpBlitz Server HTTP Request Remote Denial of Service Vulnerability
Apache Tomcat Session Fixation Vulnerability (Windows)
Acritum Femitter Server HTTP Request Remote File Disclosure Vulnerability
Apache Traffic Server HTTP TRACE Request Remote DoS Vulnerability
lighttpd Slow Request Handling Remote Denial Of Service Vulnerability

Take action and discover your vulnerabilities