CVE-2015-5346

high

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

References

https://security.netapp.com/advisory/ntap-20180531-0001/

https://security.gentoo.org/glsa/201705-09

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

https://bto.bluecoat.com/security-advisory/sa118

https://access.redhat.com/errata/RHSA-2016:1088

https://access.redhat.com/errata/RHSA-2016:1087

http://www.ubuntu.com/usn/USN-3024-1

http://www.securitytracker.com/id/1035069

http://www.securityfocus.com/bid/83323

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.debian.org/security/2016/dsa-3609

http://www.debian.org/security/2016/dsa-3552

http://www.debian.org/security/2016/dsa-3530

http://tomcat.apache.org/security-9.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-7.html

http://svn.apache.org/viewvc?view=revision&revision=1723506

http://svn.apache.org/viewvc?view=revision&revision=1723414

http://svn.apache.org/viewvc?view=revision&revision=1713187

http://svn.apache.org/viewvc?view=revision&revision=1713185

http://svn.apache.org/viewvc?view=revision&revision=1713184

http://seclists.org/bugtraq/2016/Feb/143

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://rhn.redhat.com/errata/RHSA-2016-1089.html

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

Details

Source: Mitre, NVD

Published: 2016-02-25

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High