Lucene search

K
osvGoogleOSV:GHSA-W7CG-5969-678W
HistoryMay 14, 2022 - 3:13 a.m.

Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by using a token

2022-05-1403:13:01
Google
osv.dev
7
apache tomcat
csrf protection
manager application
host manager application
remote attackers

AI Score

7

Confidence

Low

EPSS

0.004

Percentile

72.2%

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

References