CVE-2013-2067Improper Authentication in Apache Tomcat

CWE-287Improper AuthenticationCWE-384Session Fixation9 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
10.4%
top 6.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJun 1
Latest updateMay 14

Description

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDapache/tomcat40 versions+39

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

4
OSV
Improper Authentication in Apache Tomcat2022-05-14
GHSA
Improper Authentication in Apache Tomcat2022-05-14
CVEList
CVE-2013-2067: java/org/apache/catalina/authenticator/FormAuthenticator2013-06-01
OSV
CVE-2013-2067: java/org/apache/catalina/authenticator/FormAuthenticator2013-05-10

📋Vendor Advisories

2
Ubuntu
Tomcat vulnerabilities2013-05-28
Red Hat
tomcat: Session fixation in form authenticator2013-05-10

💬Community

2
Bugzilla
CVE-2013-2067 tomcat: Session fixation in form authenticator2013-05-10
Bugzilla
CVE-2013-2067 CVE-2012-3544 tomcat6 various flaws [fedora-all]2013-05-10
CVE-2013-2067 — Improper Authentication in Apache | cvebase