Information Disclosure

Tomcat is vulnerable to information disclosure. It is possible because it does not prevent the leveraging use of requestedSessionSSL field, allowing the reuse of the same session ID for the next request using that Request object. The vulnerability is not easy to set up as the client because it...

tomcat: Session fixation

A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests...

Apache Tomcat Session Fixation Vulnerability (CNVD-2016-01381)

Apache Tomcat is a popular open source JSP application server program. Apache Tomcat has a security vulnerability in the implementation of the requestedSessionSSL field, which can be exploited by an attacker to hijack an arbitrary session and gain access to the affected application...

Apache Tomcat Session Fixation Vulnerability (Feb 2016) - Windows

Apache Tomcat is prone to a session fixation vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat";...

Apache Tomcat Session Fixation Vulnerability (Feb 2016) - Linux

Apache Tomcat is prone to a session fixation vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat";...

CVE-2015-5346

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a...