CVE-2015-5346
Published: 24 February 2016
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
Priority
Status
Package | Release | Status |
---|---|---|
tomcat6 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
trusty |
Not vulnerable
|
|
upstream |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
tomcat7 Launchpad, Ubuntu, Debian |
precise |
Does not exist
(precise was needed)
|
trusty |
Released
(7.0.52-1ubuntu0.6)
|
|
upstream |
Released
(7.0.68-1)
|
|
wily |
Released
(7.0.64-1ubuntu0.3)
|
|
xenial |
Not vulnerable
(7.0.68-1)
|
|
yakkety |
Not vulnerable
(7.0.68-1)
|
|
zesty |
Not vulnerable
(7.0.68-1)
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1713187 |
||
tomcat8 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.30-1)
|
|
wily |
Ignored
(reached end-of-life)
|
|
xenial |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
yakkety |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
zesty |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1713185 upstream: http://svn.apache.org/viewvc?view=revision&revision=1723506 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |