CVE-2015-5346

Severity

68%

Complexity

86%

Confidentiality

106%

CWE-384: Session Fixation

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

CWE-384: Session Fixation

CVSS 3.0 Base Score 8.1. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Overview

First reported 8 years ago

2016-02-25 01:59:00

Last updated 6 years ago

2018-07-19 01:29:00

Affected Software

Apache Software Foundation Tomcat 7.0.0 beta

7.0.0

Apache Software Foundation Tomcat 7.0.2 beta

7.0.2

Apache Software Foundation Tomcat 7.0.4 beta

7.0.4

Apache Tomcat 7.0.5 Beta

7.0.5

Apache Software Foundation Tomcat 7.0.6

7.0.6

Apache Software Foundation Tomcat 7.0.10

7.0.10

Apache Software Foundation Tomcat 7.0.11

7.0.11

Apache Software Foundation Tomcat 7.0.12

7.0.12

Apache Software Foundation Tomcat 7.0.14

7.0.14

Apache Software Foundation Tomcat 7.0.16

7.0.16

Apache Software Foundation Tomcat 7.0.19

7.0.19

Apache Software Foundation Tomcat 7.0.20

7.0.20

Apache Software Foundation Tomcat 7.0.21

7.0.21

Apache Software Foundation Tomcat 7.0.22

7.0.22

Apache Software Foundation Tomcat 7.0.23

7.0.23

Apache Software Foundation Tomcat 7.0.25

7.0.25

Apache Software Foundation Tomcat 7.0.26

7.0.26

Apache Software Foundation Tomcat 7.0.27

7.0.27

Apache Software Foundation Tomcat 7.0.28

7.0.28

Apache Software Foundation Tomcat 7.0.29

7.0.29

Apache Software Foundation Tomcat 7.0.30

7.0.30

Apache Software Foundation Tomcat 7.0.32

7.0.32

Apache Software Foundation Tomcat 7.0.33

7.0.33

Apache Software Foundation Tomcat 7.0.34

7.0.34

Apache Software Foundation Tomcat 7.0.35

7.0.35

Apache Software Foundation Tomcat 7.0.37

7.0.37

Apache Software Foundation Tomcat 7.0.39

7.0.39

Apache Software Foundation Tomcat 7.0.40

7.0.40

Apache Software Foundation Tomcat 7.0.41

7.0.41

Apache Software Foundation Tomcat 7.0.42

7.0.42

Apache Software Foundation Tomcat 7.0.47

7.0.47

Apache Software Foundation Tomcat 7.0.50

7.0.50

Apache Software Foundation Tomcat 7.0.52

7.0.52

Apache Software Foundation Tomcat 7.0.53

7.0.53

Apache Software Foundation Tomcat 7.0.54

7.0.54

Apache Software Foundation Tomcat 7.0.55

7.0.55

Apache Software Foundation Tomcat 7.0.56

7.0.56

Apache Software Foundation Tomcat 7.0.57

7.0.57

Apache Tomcat 7.0.59

7.0.59

Apache Tomcat 7.0.61

7.0.61

Apache Tomcat 7.0.62

7.0.62

Apache Tomcat 7.0.63

7.0.63

Apache Tomcat 7.0.64

7.0.64

Apache Software Foundation Tomcat 7.0.65

7.0.65

Apache Software Foundation Tomcat 8.0.0 Release Candidate 1

8.0.0

Apache Software Foundation Tomcat 8.0.0 release candidate 10

8.0.0

Apache Software Foundation Tomcat 8.0.0 Release Candidate 3

8.0.0

Apache Software Foundation Tomcat 8.0.0 release candidate 5

8.0.0

Apache Software Foundation Tomcat 8.0.1

8.0.1

Apache Software Foundation Tomcat 8.0.3

8.0.3

Apache Software Foundation Tomcat 8.0.11

8.0.11

Apache Software Foundation Tomcat 8.0.12

8.0.12

Apache Software Foundation Tomcat 8.0.14

8.0.14

Apache Software Foundation Tomcat 8.0.15

8.0.15

Apache Tomcat 8.0.17

8.0.17

Apache Tomcat 8.0.18

8.0.18

Apache Tomcat 8.0.20

8.0.20

Apache Tomcat 8.0.21

8.0.21

Apache Tomcat 8.0.22

8.0.22

Apache Tomcat 8.0.23

8.0.23

Apache Tomcat 8.0.24

8.0.24

Apache Tomcat 8.0.26

8.0.26

Apache Software Foundation Tomcat 8.0.27

8.0.27

Apache Software Foundation Tomcat 8.0.28

8.0.28

Apache Software Foundation Tomcat 8.0.29

8.0.29

Apache Software Foundation Tomcat 9.0.0 M1

9.0.0

Canonical Ubuntu Linux 12.04 LTS

12.04

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 15.10

15.10

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Debian Linux 7.0

7.0

Debian Linux 8.0 (Jessie)

8.0

References

SUSE-SU-2016:0769

SUSE-SU-2016:0822

openSUSE-SU-2016:0865

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

RHSA-2016:1089

RHSA-2016:2046

RHSA-2016:2807

RHSA-2016:2808

20160222 [SECURITY] CVE-2015-5346 Apache Tomcat Session fixation

http://svn.apache.org/viewvc?view=revision&revision=1713184

http://svn.apache.org/viewvc?view=revision&revision=1713185

http://svn.apache.org/viewvc?view=revision&revision=1713187

http://svn.apache.org/viewvc?view=revision&revision=1723414

http://svn.apache.org/viewvc?view=revision&revision=1723506

http://tomcat.apache.org/security-7.html

Vendor Advisory

http://tomcat.apache.org/security-8.html

Vendor Advisory

http://tomcat.apache.org/security-9.html

Vendor Advisory

DSA-3530

DSA-3552

DSA-3609

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

83323

1035069

USN-3024-1

RHSA-2016:1087

RHSA-2016:1088

https://bto.bluecoat.com/security-advisory/sa118

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/

GLSA-201705-09

https://security.netapp.com/advisory/ntap-20180531-0001/

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.