Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-5346

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Published

2016-02-25T01:59:02.167

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    NVD-CWE-Other
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache tomcat 7.0.0 Yes
Application apache tomcat 7.0.2 Yes
Application apache tomcat 7.0.4 Yes
Application apache tomcat 7.0.5 Yes
Application apache tomcat 7.0.6 Yes
Application apache tomcat 7.0.10 Yes
Application apache tomcat 7.0.11 Yes
Application apache tomcat 7.0.12 Yes
Application apache tomcat 7.0.14 Yes
Application apache tomcat 7.0.16 Yes
Application apache tomcat 7.0.19 Yes
Application apache tomcat 7.0.20 Yes
Application apache tomcat 7.0.21 Yes
Application apache tomcat 7.0.22 Yes
Application apache tomcat 7.0.23 Yes
Application apache tomcat 7.0.25 Yes
Application apache tomcat 7.0.26 Yes
Application apache tomcat 7.0.27 Yes
Application apache tomcat 7.0.28 Yes
Application apache tomcat 7.0.29 Yes
Application apache tomcat 7.0.30 Yes
Application apache tomcat 7.0.32 Yes
Application apache tomcat 7.0.33 Yes
Application apache tomcat 7.0.34 Yes
Application apache tomcat 7.0.35 Yes
Application apache tomcat 7.0.37 Yes
Application apache tomcat 7.0.39 Yes
Application apache tomcat 7.0.40 Yes
Application apache tomcat 7.0.41 Yes
Application apache tomcat 7.0.42 Yes
Application apache tomcat 7.0.47 Yes
Application apache tomcat 7.0.50 Yes
Application apache tomcat 7.0.52 Yes
Application apache tomcat 7.0.53 Yes
Application apache tomcat 7.0.54 Yes
Application apache tomcat 7.0.55 Yes
Application apache tomcat 7.0.56 Yes
Application apache tomcat 7.0.57 Yes
Application apache tomcat 7.0.59 Yes
Application apache tomcat 7.0.61 Yes
Application apache tomcat 7.0.62 Yes
Application apache tomcat 7.0.63 Yes
Application apache tomcat 7.0.64 Yes
Application apache tomcat 7.0.65 Yes
Application apache tomcat 8.0.0 Yes
Application apache tomcat 8.0.0 Yes
Application apache tomcat 8.0.0 Yes
Application apache tomcat 8.0.0 Yes
Application apache tomcat 8.0.1 Yes
Application apache tomcat 8.0.3 Yes
Application apache tomcat 8.0.11 Yes
Application apache tomcat 8.0.12 Yes
Application apache tomcat 8.0.14 Yes
Application apache tomcat 8.0.15 Yes
Application apache tomcat 8.0.17 Yes
Application apache tomcat 8.0.18 Yes
Application apache tomcat 8.0.20 Yes
Application apache tomcat 8.0.21 Yes
Application apache tomcat 8.0.22 Yes
Application apache tomcat 8.0.23 Yes
Application apache tomcat 8.0.24 Yes
Application apache tomcat 8.0.26 Yes
Application apache tomcat 8.0.27 Yes
Application apache tomcat 8.0.28 Yes
Application apache tomcat 8.0.29 Yes
Application apache tomcat 9.0.0 Yes
Operating System canonical ubuntu_linux 12.04 Yes
Operating System canonical ubuntu_linux 14.04 Yes
Operating System canonical ubuntu_linux 15.10 Yes
Operating System canonical ubuntu_linux 16.04 Yes
Operating System debian debian_linux 7.0 Yes
Operating System debian debian_linux 8.0 Yes
References