#VU87535 Session Fixation in Apache Tomcat - CVE-2015-5346
Published: March 14, 2024
Vulnerability identifier: #VU87535
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2015-5346
CWE-ID: CWE-384
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Tomcat
Apache Tomcat
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to compromise accounts of other users.
The vulnerability exists due to an insecure way of handling sessions. A remote attacker can leverage the requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java and hijack web sessions of web application users.
Remediation
Install updates from vendor's website.
External links
- http://svn.apache.org/viewvc?view=revision&revision=1713185
- https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
- http://svn.apache.org/viewvc?view=revision&revision=1713184
- http://svn.apache.org/viewvc?view=revision&revision=1713187
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-9.html
- http://svn.apache.org/viewvc?view=revision&revision=1723414
- http://tomcat.apache.org/security-7.html
- http://svn.apache.org/viewvc?view=revision&revision=1723506
- http://seclists.org/bugtraq/2016/Feb/143
- http://www.debian.org/security/2016/dsa-3530
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
- http://www.debian.org/security/2016/dsa-3609
- http://www.ubuntu.com/usn/USN-3024-1
- http://www.debian.org/security/2016/dsa-3552
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- http://rhn.redhat.com/errata/RHSA-2016-2046.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- http://www.securityfocus.com/bid/83323
- https://access.redhat.com/errata/RHSA-2016:1087
- http://rhn.redhat.com/errata/RHSA-2016-1089.html
- https://access.redhat.com/errata/RHSA-2016:1088
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
- https://bto.bluecoat.com/security-advisory/sa118
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
- http://www.securitytracker.com/id/1035069
- http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html
- https://security.gentoo.org/glsa/201705-09
- http://rhn.redhat.com/errata/RHSA-2016-2808.html
- http://rhn.redhat.com/errata/RHSA-2016-2807.html
- https://security.netapp.com/advisory/ntap-20180531-0001/
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E