CVE-2019-17563 - Session Fixation

Severity

7.5

When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Project

Apache Tomcat & Apache TomEE

Versions affected

Apache Tomcat

Tomcat 6.x
All
Tomcat 7.x
7.0.0 to 7.0.99
Tomcat 8.0.x
All
Tomcat 8.5.x
8.5.0 to 8.5.50
Tomcat 9.x
9.0.0.M1 to 9.0.0.30

Apache TomEE

TomEE 1.7.x
All
TomEE 7.0.x
7.0.0-M1 to 7.0.7
TomEE 7.1.x
7.1.0 to 7.1.2
TomEE 8.0.x
8.0.0-M1 to 8.0.1
Feel Vulnerable? 

Contact us so we can help you.


* These fields are required.