CVE-2015-5346 Information

Feb 14, 2021 cve

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66 8.x before 8.0.30 and 9.x before 9.0.0.M2 when different session settings are used for deployments of multiple versions of the same web application might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request related to CoyoteAdapter.java and Request.java.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat.com/errata/RHSA-2016-2046.html http://rhn.redhat.com/errata/RHSA-2016-2807.html http://rhn.redhat.com/errata/RHSA-2016-2808.html http://seclists.org/bugtraq/2016/Feb/143 http://svn.apache.org/viewvc?view=revision&revision=1713184 http://svn.apache.org/viewvc?view=revision&revision=1713185 http://svn.apache.org/viewvc?view=revision&revision=1713187 http://svn.apache.org/viewvc?view=revision&revision=1723414 http://svn.apache.org/viewvc?view=revision&revision=1723506 http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html http://www.debian.org/security/2016/dsa-3530 http://www.debian.org/security/2016/dsa-3552 http://www.debian.org/security/2016/dsa-3609 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html http://www.securityfocus.com/bid/83323 http://www.securitytracker.com/id/1035069 http://www.ubuntu.com/usn/USN-3024-1 https://access.redhat.com/errata/RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1088 https://bto.bluecoat.com/security-advisory/sa118 https://bz.apache.org/bugzilla/show_bug.cgi?id=58809 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626 https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@3Cdev.tomcat.apache.org3E https://security.gentoo.org/glsa/201705-09 https://security.netapp.com/advisory/ntap-20180531-0001/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1

Share on: