Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Remediation

References

http://svn.apache.org/viewvc?view=revision&revision=1713185

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

http://svn.apache.org/viewvc?view=revision&revision=1713184

http://svn.apache.org/viewvc?view=revision&revision=1713187

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://svn.apache.org/viewvc?view=revision&revision=1723414

http://tomcat.apache.org/security-7.html

http://svn.apache.org/viewvc?view=revision&revision=1723506

http://seclists.org/bugtraq/2016/Feb/143

http://www.debian.org/security/2016/dsa-3530

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

http://www.debian.org/security/2016/dsa-3609

http://www.ubuntu.com/usn/USN-3024-1

http://www.debian.org/security/2016/dsa-3552

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.securityfocus.com/bid/83323

https://access.redhat.com/errata/RHSA-2016:1087

http://rhn.redhat.com/errata/RHSA-2016-1089.html

https://access.redhat.com/errata/RHSA-2016:1088

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

https://bto.bluecoat.com/security-advisory/sa118

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://www.securitytracker.com/id/1035069

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

https://security.gentoo.org/glsa/201705-09

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

https://security.netapp.com/advisory/ntap-20180531-0001/

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2023-38687 Vulnerability in npm package svelecte

CVE-2018-1256 Vulnerability in maven package io.pivotal.spring.cloud:spring-cloud-sso-connector

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http-core_2.13

CVE-2022-46769 Vulnerability in maven package org.apache.sling:org.apache.sling.cms.ui

CVE-2016-2166 Vulnerability in maven package org.apache.qpid:proton-j

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other