When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
https://www.debian.org/security/2019/dsa-4596
https://seclists.org/bugtraq/2019/Dec/43
https://security.netapp.com/advisory/ntap-20200107-0001/
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
https://usn.ubuntu.com/4251-1/
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://security.gentoo.org/glsa/202003-43
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.debian.org/security/2020/dsa-4680
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
https://lists.apache.org/thread.html/[email protected]%3Cissues.cxf.apache.org%3E
Source: MITRE
Published: 2019-12-23
Updated: 2022-10-07
Type: CWE-384
Base Score: 5.1
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 4.9
Severity: MEDIUM
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 1.6
Severity: HIGH