CVE-2015-5346

HIGH

Apache Tomcat <7.0.66, 8.0.30, 9.0.0.M2 - Session Fixation

Title source: llm

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

References (35)

Core 35

Core References

Patch x_refsource_confirm

http://svn.apache.org/viewvc?view=revision&revision=1723414

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-2046.html

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201705-09

Mailing List mailing-list x_refsource_bugtraq

http://seclists.org/bugtraq/2016/Feb/143

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

Vendor Advisory x_refsource_confirm

http://tomcat.apache.org/security-9.html

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3024-1

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3530

Patch x_refsource_confirm

http://svn.apache.org/viewvc?view=revision&revision=1713184

Vendor Advisory x_refsource_confirm

http://tomcat.apache.org/security-7.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/83323

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1089.html

Vendor Advisory x_refsource_confirm

http://tomcat.apache.org/security-8.html

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2016:1087

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035069

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-2807.html

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2016:1088

Vendor Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20180531-0001/

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-2808.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

Various Sources x_refsource_confirm

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

Patch x_refsource_confirm

http://svn.apache.org/viewvc?view=revision&revision=1713185

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3609

Patch x_refsource_confirm

http://svn.apache.org/viewvc?view=revision&revision=1723506

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

Patch x_refsource_confirm

http://svn.apache.org/viewvc?view=revision&revision=1713187

Vendor Advisory x_refsource_confirm

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3552

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Various Sources x_refsource_confirm

https://bto.bluecoat.com/security-advisory/sa118

Vendor Advisory x_refsource_confirm

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

Scores

CVSS v3 8.1

EPSS 0.3881

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (47)

apache/tomcat 7.0.0 beta

apache/tomcat 7.0.2 beta

apache/tomcat 7.0.4 beta

apache/tomcat 7.0.5 beta

apache/tomcat 7.0.6

apache/tomcat 7.0.10

apache/tomcat 7.0.11

apache/tomcat 7.0.12

apache/tomcat 7.0.14

apache/tomcat 7.0.16

... and 37 more

Published Feb 25, 2016

Tracked Since Feb 18, 2026