Low: Session fixation CVE-2019-17563
When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
This was fixed with commit 1ecba14e.
This issue was reported to the Apache Tomcat Security Team by William Marlow (IBM) on 19 November 2019. The issue was made public on 18 December 2019.
Affects: 9.0.0.M1 to 9.0.29
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 9.0.0.M1 | |
apache tomcat | le | 9.0.29 |