Your submission was sent successfully! Close

CVE-2019-17563

Published: 23 December 2019

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat7
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Needs triage

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
tomcat8
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (8.0.32-1ubuntu1.11)
tomcat9
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(9.0.31-1)
groovy Not vulnerable
(9.0.31-1)
hirsute Not vulnerable
(9.0.31-1)
impish Not vulnerable
(9.0.31-1)
jammy Not vulnerable
(9.0.31-1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist