CVE-2014-0033

Apache Tomcat 6.0.33-6.0.37 - Session Fixation

Title source: llm
STIX 2.1

Description

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

References (23)

Core 23
Core References
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21677147
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21678231
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1069919
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/65769
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3530
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534161/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59722
Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-6.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2130-1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59873
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/23
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21675886
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59036

Scores

EPSS 0.1623
EPSS Percentile 94.9%

Details

CWE
CWE-20
Status published
Products (6)
apache/tomcat 6.0.33
apache/tomcat 6.0.34
apache/tomcat 6.0.35
apache/tomcat 6.0.36
apache/tomcat 6.0.37
org.apache.tomcat/tomcat 6.0.33 - 6.0.38Maven
Published Feb 26, 2014
Tracked Since Feb 18, 2026