CVE-2014-0033

Published: 26 February 2014

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

Priority

Low

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.39)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(6.0.39-1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=rev&rev=1558822
tomcat7
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable