Klaas Janssen

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 7.x through 7.0.65 Apache Tomcat versions 8.x through 8.0.29 Apache Tomcat versions 9.x through 9.0.0.M1 **Description** The issue is related to session fixation, where an attacker could potentially hijack web sessions by leveraging the use of the `requestedSessionSSL` field for an unintended request. This is particularly relevant when different session settings are used for deployments of multiple versions of the same web application. The vulnerability is associated with the `CoyoteAdapter.java` and `Request.java` files. In theory, this could be used as part of a session fixation attack, although it would be challenging for the attacker to force the victim to use the 'correct' Request object. It requires at least one web application to be configured to use the SSL session ID as the HTTP session ID, which is not a common configuration. **Recommendations** For Apache Tomcat versions 7.x through 7.0.65, update to version 7.0.66 or later. For Apache Tomcat versions 8.x through 8.0.29, update to version 8.0.30 or later. For Apache Tomcat versions 9.x through 9.0.0.M1, update to version 9.0.0.M2 or later. As a temporary workaround, consider restricting access to the `requestedSessionSSL` field in the affected API endpoint until a patch is available.