You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2019/12/18 15:38:10 UTC

[SECURITY] CVE-2019-17563 Session fixation

CVE-2019-17563 Session fixation

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.29
Apache Tomcat 8.5.0 to 8.5.49
Apache Tomcat 7.0.0 to 7.0.98

Description:
When using FORM authentication there was a narrow window where an
attacker could perform a session fixation attack. The window was
considered too narrow for an exploit to be practical but, erring on the
side of caution, this issue has been treated as a security vulnerability.

Mitigation:
- Upgrade to Apache Tomcat 9.0.30 or later
- Upgrade to Apache Tomcat 8.5.50 or later
- Upgrade to Apache Tomcat 7.0.99 or later

Credit:
William Marlow (IBM).

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org