When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
2019-12-23T17:15:11.803
2024-11-21T04:32:32.160
Modified
CVSSv3.1: 7.5 (HIGH)
AV:N/AC:H/Au:N/C:P/I:P/A:P
4.9
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | tomcat | ≤ 7.0.98 | Yes |
| Application | apache | tomcat | ≤ 8.5.49 | Yes |
| Application | apache | tomcat | ≤ 9.0.29 | Yes |
| Operating System | debian | debian_linux | 8.0 | Yes |
| Operating System | debian | debian_linux | 9.0 | Yes |
| Operating System | debian | debian_linux | 10.0 | Yes |
| Operating System | opensuse | leap | 15.1 | Yes |
| Operating System | canonical | ubuntu_linux | 16.04 | Yes |
| Application | oracle | agile_engineering_data_management | 6.2.1.0 | Yes |
| Application | oracle | hyperion_infrastructure_technology | 11.1.2.4 | Yes |
| Application | oracle | instantis_enterprisetrack | ≤ 17.3 | Yes |
| Application | oracle | micros_relate_crm_software | 11.4 | Yes |
| Application | oracle | mysql_enterprise_monitor | ≤ 4.0.11.5331 | Yes |
| Application | oracle | mysql_enterprise_monitor | ≤ 8.0.18.1217 | Yes |
| Application | oracle | retail_order_broker | 15.0 | Yes |
| Application | oracle | transportation_management | 6.3.7 | Yes |