Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Remediation

References

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

http://rhn.redhat.com/errata/RHSA-2016-1089.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://seclists.org/bugtraq/2016/Feb/143

http://svn.apache.org/viewvc?view=revision&revision=1713184

http://svn.apache.org/viewvc?view=revision&revision=1713185

http://svn.apache.org/viewvc?view=revision&revision=1713187

http://svn.apache.org/viewvc?view=revision&revision=1723414

http://svn.apache.org/viewvc?view=revision&revision=1723506

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://www.debian.org/security/2016/dsa-3530

http://www.debian.org/security/2016/dsa-3552

http://www.debian.org/security/2016/dsa-3609

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.securityfocus.com/bid/83323

http://www.securitytracker.com/id/1035069

http://www.ubuntu.com/usn/USN-3024-1

https://access.redhat.com/errata/RHSA-2016:1087

https://access.redhat.com/errata/RHSA-2016:1088

https://bto.bluecoat.com/security-advisory/sa118

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://security.gentoo.org/glsa/201705-09

https://security.netapp.com/advisory/ntap-20180531-0001/

Related Vulnerabilities

CVE-2023-32999 Vulnerability in maven package com.rapid7:jenkinsci-appspider-plugin

CVE-2022-34186 Vulnerability in maven package com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter

CVE-2022-28732 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2023-32978 Vulnerability in maven package org.jenkins-ci.plugins:ldap

CVE-2023-24459 Vulnerability in maven package org.jenkins-ci.plugins:bearychat

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other