CVE-2019-17563 — Session Fixation in Apache Tomcat

CWE-384 — Session Fixation16 documents10 sources

Severity

7.5HIGHNVD

OSV7.0

EPSS

3.3%

top 12.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Oracle Instantis Enterprisetrack Oracle Mysql Enterprise Monitor +9 more

Timeline

PublishedDec 23

Latest updateJan 15

Description

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages10 packages

▶NVDapache/tomcat7.0.0 — 7.0.98+2

▶CVEListV5apache_software_foundation/apache_tomcat7.0.0 to 7.0.98, 8.5.0 to 8.5.49, 9.0.0.M1 to 9.0.29+2

▶NVDoracle/mysql_enterprise_monitor8.0.0 — 8.0.18.1217+1

▶NVDoracle/instantis_enterprisetrack17.1 — 17.3

▶NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 8.0, 9.0, Ubuntu Linux 16.04

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

tomcat8 vulnerabilities↗2020-01-27

▶

GHSA

In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack↗2019-12-26

▶

OSV

In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack↗2019-12-26

▶

OSV

CVE-2019-17563: When using FORM authentication with Apache Tomcat 9↗2019-12-23

▶

CVEList

CVE-2019-17563: When using FORM authentication with Apache Tomcat 9↗2019-12-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Hyperion Risk Matrix: Common Security (Apache Tomcat) — CVE-2019-17563↗2021-01-15

▶

Oracle

Oracle Oracle Supply Chain Risk Matrix: Install (Apache Tomcat) — CVE-2019-17563↗2020-07-15

▶

Oracle

Oracle Oracle Database Server Risk Matrix: WLM (Apache Tomcat) — CVE-2019-17563↗2020-04-15

▶

Ubuntu

Tomcat vulnerabilities↗2020-01-27

▶

Red Hat

tomcat: Session fixation when using FORM authentication↗2019-12-18

▶

💬Community

Bugzilla

CVE-2019-17563 tomcat: session fixation when using FORM authentication [epel-all]↗2019-12-20

▶

Bugzilla

CVE-2019-17563 tomcat: session fixation when using FORM authentication [fedora-all]↗2019-12-20

▶

Bugzilla

CVE-2019-17563 tomcat: Session fixation when using FORM authentication↗2019-12-20

▶