HIGH 8.1 Maven
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
GHSA-jrcp-c39h-r29x · CVE-2015-5346
Published · Modified
Description
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-5346
- WEB https://github.com/apache/tomcat/commit/04164c1f01b973e548d95511d417f414ca723cb8
- WEB https://github.com/apache/tomcat/commit/6287be37d8d06c320215c45f7e2b8380411692e0
- WEB https://github.com/apache/tomcat/commit/83679b99cd40caa401d173c8f8e72fc98eb5d5be
- WEB https://github.com/apache/tomcat80/commit/41fbee7ba15435a831f765597ff907c56ebf2169
- WEB https://github.com/apache/tomcat80/commit/c39b7ffc2145644f7f3cf9e3cd4aada5048e56a0
- WEB https://web.archive.org/web/20160912063818/http://www.securityfocus.com/bid/83323
- WEB https://web.archive.org/web/20160321234551/http://www.securitytracker.com/id/1035069
- WEB https://security.netapp.com/advisory/ntap-20180531-0001
- WEB https://security.gentoo.org/glsa/201705-09
- WEB https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- WEB https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- WEB https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
- WEB https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
- PACKAGE https://github.com/apache/tomcat
- WEB https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
- WEB https://bto.bluecoat.com/security-advisory/sa118
- WEB https://access.redhat.com/errata/RHSA-2016:1088
- WEB https://access.redhat.com/errata/RHSA-2016:1087
- WEB http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
- WEB http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
- WEB http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
- WEB http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-1089.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-2046.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-2807.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-2808.html
- WEB http://seclists.org/bugtraq/2016/Feb/143
- WEB http://svn.apache.org/viewvc?view=revision&revision=1713184
- WEB http://svn.apache.org/viewvc?view=revision&revision=1713185
- WEB http://svn.apache.org/viewvc?view=revision&revision=1713187
- WEB http://svn.apache.org/viewvc?view=revision&revision=1723414
- WEB http://svn.apache.org/viewvc?view=revision&revision=1723506
- WEB http://tomcat.apache.org/security-7.html
- WEB http://tomcat.apache.org/security-8.html
- WEB http://tomcat.apache.org/security-9.html
- WEB http://www.debian.org/security/2016/dsa-3530
- WEB http://www.debian.org/security/2016/dsa-3552
- WEB http://www.debian.org/security/2016/dsa-3609
- WEB http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- WEB http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- WEB http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- WEB http://www.ubuntu.com/usn/USN-3024-1
Ready to move
Start Securing
Free, no credit card | First findings in minutes