PT-2019-5228 · Apache+5 · Apache Tomcat+5

Lukas Braune

·

Publicado

2019-12-06

·

Atualizado

2024-06-15

·

CVE-2019-17563

CVSS v2.0

10

Alta

VetorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.29 Apache Tomcat versions 8.5.0 through 8.5.49 Apache Tomcat versions 7.0.0 through 7.0.98
Description The issue is related to a session fixation attack when using FORM authentication. An attacker could potentially exploit this to gain unauthorized access to confidential data, cause a denial of service, and impact data integrity. The window for exploitation is considered narrow, but the issue is treated as a security concern.
Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.29, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 8.5.0 through 8.5.49, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 7.0.0 through 7.0.98, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to FORM authentication until a patch is available.

Exploit

Correção

Session Fixation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-384

Identificadores relacionados

ALT-PU-2020-2892
ALT-PU-2020-3213
ALT-PU-2021-2858
BDU:2020-01971
CESA-2020_4004
CVE-2019-17563
DLA-2077-1
DLA-2209-1
DSA-4596-1
DSA-4680-1
GHSA-9XCJ-C8CR-8C3C
MGASA-2020-0054
OPENSUSE-SU-2020:0038-1
OPENSUSE-SU-2020_0038-1
OPENSUSE-SU-2024:11468-1
OPENSUSE-SU-2024:13441-1
RHSA-2020:0861
RHSA-2020:1520
RHSA-2020:4004
RHSA-2020_4004
RHSA-2021:0882
RHSA-2021:1030
SUSE-SU-2020:0029-1
SUSE-SU-2020:0226-1
SUSE-SU-2020:0632-1
SUSE-SU-2020:1497-1
SUSE-SU-2020:1498-1
SUSE-SU-2020_1497-1
SUSE-SU-2020_1498-1
USN-4251-1

Produtos afetados

Alt Linux
Apache Tomcat
Centos
Red Hat
Suse
Ubuntu