CVE-2014-0033 — Improper Input Validation in Apache Tomcat

CWE-20 — Improper Input Validation CWE-384 — Session Fixation10 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

16.2%

top 5.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedFeb 26

Latest updateMay 14

Description

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat5 versions+4

🔴Vulnerability Details

GHSA

Improper Input Validation in Apache Tomcat↗2022-05-14

▶

OSV

Improper Input Validation in Apache Tomcat↗2022-05-14

▶

CVEList

CVE-2014-0033: org/apache/catalina/connector/CoyoteAdapter↗2014-02-26

▶

OSV

CVE-2014-0033: org/apache/catalina/connector/CoyoteAdapter↗2014-02-26

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerabilities↗2014-03-06

▶

Red Hat

tomcat: session fixation still possible with disableURLRewriting enabled↗2014-02-25

▶

💬Community

Bugzilla

CVE-2014-7812 Red Hat Satellite, Spacewalk: XSS in system-group↗2014-12-11

▶

Bugzilla

CVE-2014-7811 Red Hat Satellite, Spacewalk: multiple XSS↗2014-10-24

▶

Bugzilla

CVE-2014-0033 tomcat: session fixation still possible with disableURLRewriting enabled↗2014-02-25

▶