CVE-2015-5346

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

References

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

http://rhn.redhat.com/errata/RHSA-2016-1089.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://seclists.org/bugtraq/2016/Feb/143

http://svn.apache.org/viewvc?view=revision&revision=1713184

http://svn.apache.org/viewvc?view=revision&revision=1713185

http://svn.apache.org/viewvc?view=revision&revision=1713187

http://svn.apache.org/viewvc?view=revision&revision=1723414

http://svn.apache.org/viewvc?view=revision&revision=1723506

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://www.debian.org/security/2016/dsa-3530

http://www.debian.org/security/2016/dsa-3552

http://www.debian.org/security/2016/dsa-3609

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.securityfocus.com/bid/83323

http://www.securitytracker.com/id/1035069

http://www.ubuntu.com/usn/USN-3024-1

https://access.redhat.com/errata/RHSA-2016:1087

https://access.redhat.com/errata/RHSA-2016:1088

https://bto.bluecoat.com/security-advisory/sa118

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://security.gentoo.org/glsa/201705-09

https://security.netapp.com/advisory/ntap-20180531-0001/

Details

Source: MITRE

Published: 2016-02-25

Updated: 2018-07-19

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Tenable Plugins

View all (24 total)

IDNameProductFamilySeverity
701336Apache Tomcat < 7.0.67 VulnerabilityNessus Network MonitorWeb Servers
medium
700699Apache Tomcat 9.0.x < 9.0.0.M3 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
121125Apache Tomcat < 9.0.0.M3 Multiple VulnerabilitiesNessusWeb Servers
high
121118Apache Tomcat < 7.0.67 Session FixationNessusWeb Servers
high
100262GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
99812EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)NessusHuawei Local Security Checks
high
95024RHEL 6 / 7 : JBoss Web Server (RHSA-2016:2807)NessusRed Hat Local Security Checks
high
94005Scientific Linux Security Update : tomcat on SL7.x (noarch) (20161010) (httpoxy)NessusScientific Linux Local Security Checks
high
93966CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)NessusCentOS Local Security Checks
high
93951RHEL 7 : tomcat (RHSA-2016:2046) (httpoxy)NessusRed Hat Local Security Checks
high
93948Oracle Linux 7 : tomcat (ELSA-2016-2046) (httpoxy)NessusOracle Linux Local Security Checks
high
91954Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : tomcat6, tomcat7 vulnerabilities (USN-3024-1)NessusUbuntu Local Security Checks
high
91906Debian DSA-3609-1 : tomcat8 - security updateNessusDebian Local Security Checks
high
9314Apache Tomcat 7.0.x < 7.0.67 / 8.0.x < 8.0.32 Session HijackingNessus Network MonitorWeb Servers
medium
91246RHEL 7 : JBoss Web Server (RHSA-2016:1088)NessusRed Hat Local Security Checks
high
91245RHEL 6 : JBoss Web Server (RHSA-2016:1087)NessusRed Hat Local Security Checks
high
90552Debian DSA-3552-1 : tomcat7 - security updateNessusDebian Local Security Checks
high
90272Amazon Linux AMI : tomcat8 (ALAS-2016-679)NessusAmazon Linux Local Security Checks
high
90205Debian DSA-3530-1 : tomcat6 - security updateNessusDebian Local Security Checks
high
90136openSUSE Security Update : tomcat (openSUSE-2016-384)NessusSuSE Local Security Checks
high
89838Amazon Linux AMI : tomcat7 (ALAS-2016-657)NessusAmazon Linux Local Security Checks
high
89010FreeBSD : tomcat -- multiple vulnerabilities (7bbc3016-de63-11e5-8fa8-14dae9d210b8)NessusFreeBSD Local Security Checks
high
89006FreeBSD : tomcat -- multiple vulnerabilities (1f1124fe-de5c-11e5-8fa8-14dae9d210b8)NessusFreeBSD Local Security Checks
high
88937Apache Tomcat 8.0.0.RC1 < 8.0.32 Multiple VulnerabilitiesNessusWeb Servers
high