Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-2067

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

Published

2013-06-01T14:21:05.847

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-287
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache tomcat 6.0.21 Yes
Application apache tomcat 6.0.24 Yes
Application apache tomcat 6.0.26 Yes
Application apache tomcat 6.0.27 Yes
Application apache tomcat 6.0.28 Yes
Application apache tomcat 6.0.29 Yes
Application apache tomcat 6.0.30 Yes
Application apache tomcat 6.0.31 Yes
Application apache tomcat 6.0.32 Yes
Application apache tomcat 6.0.33 Yes
Application apache tomcat 6.0.35 Yes
Application apache tomcat 6.0.36 Yes
Application apache tomcat 7.0.0 Yes
Application apache tomcat 7.0.0 Yes
Application apache tomcat 7.0.1 Yes
Application apache tomcat 7.0.2 Yes
Application apache tomcat 7.0.2 Yes
Application apache tomcat 7.0.3 Yes
Application apache tomcat 7.0.4 Yes
Application apache tomcat 7.0.4 Yes
Application apache tomcat 7.0.5 Yes
Application apache tomcat 7.0.6 Yes
Application apache tomcat 7.0.7 Yes
Application apache tomcat 7.0.8 Yes
Application apache tomcat 7.0.9 Yes
Application apache tomcat 7.0.10 Yes
Application apache tomcat 7.0.11 Yes
Application apache tomcat 7.0.12 Yes
Application apache tomcat 7.0.13 Yes
Application apache tomcat 7.0.14 Yes
Application apache tomcat 7.0.15 Yes
Application apache tomcat 7.0.16 Yes
Application apache tomcat 7.0.17 Yes
Application apache tomcat 7.0.18 Yes
Application apache tomcat 7.0.19 Yes
Application apache tomcat 7.0.20 Yes
Application apache tomcat 7.0.21 Yes
Application apache tomcat 7.0.22 Yes
Application apache tomcat 7.0.23 Yes
Application apache tomcat 7.0.25 Yes
Application apache tomcat 7.0.28 Yes
Application apache tomcat 7.0.30 Yes
Application apache tomcat 7.0.32 Yes
References