Lucene search

K

Veracode Vulnerability DatabaseVERACODE:10982

HistoryJan 15, 2019 - 8:55 a.m.

Session Fixation During Completion Of The Login Form

2019-01-1508:55:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

CPENameOperatorVersion
tomcat6eq6.0.24__48.el6_3
tomcat6eq6.0.24__55.el6_4
tomcat6eq6.0.24__24.el6_0
tomcat6eq6.0.32__31_patch_08.ep5.el6
tomcat6eq6.0.24__64.el6_5
tomcat6eq6.0.24__111.el6_9
tomcat6eq6.0.24__49.el6
tomcat6eq6.0.24__62.el6
tomcat6eq6.0.24__95.el6
tomcat6eq6.0.24__80.el6

Rows per page:

1-10 of 8531

References

archives.neohapsis.com/archives/bugtraq/2013-05/0041.html

rhn.redhat.com/errata/RHSA-2013-0833.html

rhn.redhat.com/errata/RHSA-2013-0834.html

rhn.redhat.com/errata/RHSA-2013-0839.html

rhn.redhat.com/errata/RHSA-2013-0964.html

rhn.redhat.com/errata/RHSA-2013-1437.html

svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1417891&r2=1417890&pathrev=1417891

svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1408044&r2=1408043&pathrev=1408044

svn.apache.org/viewvc?view=revision&revision=1408044

svn.apache.org/viewvc?view=revision&revision=1417891

tomcat.apache.org/security-6.html

tomcat.apache.org/security-7.html

www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

www.securityfocus.com/bid/59799

www.securityfocus.com/bid/64758

www.ubuntu.com/usn/USN-1841-1

access.redhat.com/security/updates/classification/#moderate

lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E

rhn.redhat.com/errata/RHSA-2013-0964.html

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Related for VERACODE:10982

nessus22 openvas16 securityvulns5 cve1 seebug2 github1 tomcat2 redhat6 oraclelinux1 osv3 prion1 debiancve1 ubuntucve1 centos1 atlassian5 ubuntu1 mageia1 debian2 f51 gentoo1 ibm2 oracle2