Information Disclosure

Affecting org.apache.tomcat:tomcat-catalina artifact, versions [7,7.0.66), [8,8.0.30), [9-alpha,9.0.0.M2)

Do your applications use this vulnerable package? Test your applications

Overview

org.apache.tomcat:tomcat-catalina Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2015-5346
CWE
CWE-200
Snyk ID
SNYK-JAVA-ORGAPACHETOMCAT-30913
Disclosed
22 Feb, 2016
Published
22 Feb, 2016