CVE-2015-5351

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 7.0.0 through 7.0.67 Apache Tomcat versions 8.0.0 through 8.0.30 Apache Tomcat versions 9.0.0.M1 and earlier

Description The issue is related to the Manager and Host Manager applications in Apache Tomcat, which establish sessions and send CSRF tokens for arbitrary new requests. This allows remote attackers to bypass a CSRF protection mechanism by using a token. The vulnerability is related to the inclusion of a valid CSRF token on the index page of the Manager and Host Manager applications when issuing a redirect as a result of an unauthenticated request to the root of the web application.

Recommendations For Apache Tomcat versions 7.0.0 through 7.0.67, update to version 7.0.68 or later. For Apache Tomcat versions 8.0.0 through 8.0.30, update to version 8.0.31 or later. For Apache Tomcat versions 9.0.0.M1 and earlier, update to version 9.0.0.M2 or later. As a temporary workaround, consider restricting access to the Manager and Host Manager applications to minimize the risk of exploitation.