CVE-2014-0033

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.0.33 through 6.0.37

Description The issue allows remote attackers to conduct session fixation attacks via a crafted URL, because the disableURLRewriting setting is not considered when handling a session ID in a URL. This is due to a regression introduced by previous fixes to path parameter handling, which causes session IDs provided in the URL to be considered even when disableURLRewriting is configured to true. The session is only used for that single request.

Recommendations For Apache Tomcat versions 6.0.33 through 6.0.37, consider setting disableURLRewriting to true and ensure that session IDs are not provided in URLs to minimize the risk of session fixation attacks. As a temporary workaround, restrict the use of session IDs in URLs until a patch is available.