6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.012 Low
EPSS
Percentile
84.8%
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form
authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x
before 7.0.33 does not properly handle the relationships between
authentication requirements and sessions, which allows remote attackers to
inject a request into a session by sending this request during completion
of the login form, a variant of a session fixation attack.
mail-archives.apache.org/mod_mbox/tomcat-announce/201305.mbox/%[email protected]%3E
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
launchpad.net/bugs/cve/CVE-2013-2067
nvd.nist.gov/vuln/detail/CVE-2013-2067
security-tracker.debian.org/tracker/CVE-2013-2067
ubuntu.com/security/notices/USN-1841-1
www.cve.org/CVERecord?id=CVE-2013-2067