CVE-2013-2067

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.0.21 through 6.0.36 Apache Tomcat versions 7.x before 7.0.33

Description The form authentication feature in Apache Tomcat does not properly handle the relationships between authentication requirements and sessions. This allows remote attackers to inject a request into a session by sending the request during completion of the login form, which is a variant of a session fixation attack. Specifically, the FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials.

Recommendations For Apache Tomcat versions 6.0.21 through 6.0.36, update to a version after 6.0.36 to resolve the issue. For Apache Tomcat versions 7.x before 7.0.33, update to version 7.0.33 or later to resolve the issue. As a temporary workaround, consider restricting access to authenticated resources to minimize the risk of exploitation.