CVE-2015-5346

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 7.x through 7.0.65 Apache Tomcat versions 8.x through 8.0.29 Apache Tomcat versions 9.x through 9.0.0.M1

Description The issue is related to session fixation, where an attacker could potentially hijack web sessions by leveraging the use of the requestedSessionSSL field for an unintended request. This is particularly relevant when different session settings are used for deployments of multiple versions of the same web application. The vulnerability is associated with the CoyoteAdapter.java and Request.java files. In theory, this could be used as part of a session fixation attack, although it would be challenging for the attacker to force the victim to use the 'correct' Request object. It requires at least one web application to be configured to use the SSL session ID as the HTTP session ID, which is not a common configuration.

Recommendations For Apache Tomcat versions 7.x through 7.0.65, update to version 7.0.66 or later. For Apache Tomcat versions 8.x through 8.0.29, update to version 8.0.30 or later. For Apache Tomcat versions 9.x through 9.0.0.M1, update to version 9.0.0.M2 or later. As a temporary workaround, consider restricting access to the requestedSessionSSL field in the affected API endpoint until a patch is available.