PT-2019-5228 · Apache+5 · Apache Tomcat+5

Lukas Braune

·

Published

2019-12-06

·

Updated

2024-06-15

·

CVE-2019-17563

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.29 Apache Tomcat versions 8.5.0 through 8.5.49 Apache Tomcat versions 7.0.0 through 7.0.98
Description The issue is related to a session fixation attack when using FORM authentication. An attacker could potentially exploit this to gain unauthorized access to confidential data, cause a denial of service, and impact data integrity. The window for exploitation is considered narrow, but the issue is treated as a security concern.
Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.29, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 8.5.0 through 8.5.49, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 7.0.0 through 7.0.98, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to FORM authentication until a patch is available.

Exploit

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

ALT-PU-2020-2892
ALT-PU-2020-3213
ALT-PU-2021-2858
BDU:2020-01971
CESA-2020_4004
CVE-2019-17563
DLA-2077-1
DLA-2209-1
DSA-4596-1
DSA-4680-1
GHSA-9XCJ-C8CR-8C3C
MGASA-2020-0054
OPENSUSE-SU-2020:0038-1
OPENSUSE-SU-2020_0038-1
OPENSUSE-SU-2024:11468-1
OPENSUSE-SU-2024:13441-1
RHSA-2020:0861
RHSA-2020:1520
RHSA-2020:4004
RHSA-2020_4004
RHSA-2021:0882
RHSA-2021:1030
SUSE-SU-2020:0029-1
SUSE-SU-2020:0226-1
SUSE-SU-2020:0632-1
SUSE-SU-2020:1497-1
SUSE-SU-2020:1498-1
SUSE-SU-2020_1497-1
SUSE-SU-2020_1498-1
USN-4251-1

Affected Products

Alt Linux
Apache Tomcat
Centos
Red Hat
Suse
Ubuntu