You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2019/12/18 15:38:10 UTC
[SECURITY] CVE-2019-17563 Session fixation
CVE-2019-17563 Session fixation
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.29
Apache Tomcat 8.5.0 to 8.5.49
Apache Tomcat 7.0.0 to 7.0.98
Description:
When using FORM authentication there was a narrow window where an
attacker could perform a session fixation attack. The window was
considered too narrow for an exploit to be practical but, erring on the
side of caution, this issue has been treated as a security vulnerability.
Mitigation:
- Upgrade to Apache Tomcat 9.0.30 or later
- Upgrade to Apache Tomcat 8.5.50 or later
- Upgrade to Apache Tomcat 7.0.99 or later
Credit:
William Marlow (IBM).
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org