Detections
Analytics
CVE-2019-17563
high
Description
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
References
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.debian.org/security/2020/dsa-4680
https://www.debian.org/security/2019/dsa-4596
https://usn.ubuntu.com/4251-1/
https://security.netapp.com/advisory/ntap-20200107-0001/
https://security.gentoo.org/glsa/202003-43
https://seclists.org/bugtraq/2019/Dec/43
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html