Home

CVE-2019-17563

Description

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
2.427

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-17563,CVE-2019-12418,CVE-2019-2684 are fixed in 17 December 2019 Fixed in Apache Tomcat 7.0.99Windows
Vulnerabilities CVE-2019-17563 are fixed in 12 December 2019 Fixed in Apache Tomcat 8.5.50Windows
Vulnerabilities CVE-2019-17563 are fixed in 12 December 2019 Fixed in Apache Tomcat 9.0.30Windows
Vulnerabilities CVE-2019-12418,CVE-2019-17563 are fixed in Apache - tomcat-embed-core 7.0.99Windows
Vulnerabilities CVE-2019-17563 are fixed in Apache - tomcat-embed-core 8.5.50Windows
Vulnerabilities CVE-2019-17563 are fixed in Apache - tomcat-embed-core 9.0.30Windows
Multiple Vulnerabilities are affected in IBM Tivoli Application Dependency Discovery Manager 7.3.0Windows
tomcat8 security update(DSA-4596-1) tomcat8_8.5.50-0+deb9u1_all.debLinux
Servlet and JSP engine (USN-4251-1) tomcat8_8.0.32-1ubuntu1.11_all.debLinux
Servlet and JSP engine (USN-4251-1) libtomcat8-java_8.0.32-1ubuntu1.11_all.debLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-admin-webapps-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-docs-webapp-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-admin-webapps-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-el-3_0-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-docs-webapp-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-javadoc-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-el-3_0-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-jsp-2_3-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-javadoc-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-lib-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-jsp-2_3-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-servlet-4_0-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-lib-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-webapps-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-servlet-4_0-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-webapps-9.0.31-3.25.1.noarch_SP5.rpmLinux
tomcat9 security update(DSA-4680-1) tomcat9_9.0.31-1~deb10u1_all.debLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-admin-webapps-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-docs-webapp-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-javadoc-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-jsvc-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-lib-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpmLinux
(RHSA-2020:4004) tomcat security and bug fix update tomcat-webapps-7.0.76-15.el7.noarch.rpmLinux
Vulnerabilities CVE-2019-17563,CVE-2019-12418,CVE-2019-2684 are fixed in 17 December 2019 Fixed in Apache Tomcat 7.0.99 (For Linux)Linux
Vulnerabilities CVE-2019-17563 are fixed in 12 December 2019 Fixed in Apache Tomcat 8.5.50 (For Linux)Linux
Vulnerabilities CVE-2019-17563 are fixed in 12 December 2019 Fixed in Apache Tomcat 9.0.30 (For Linux)Linux
Vulnerabilities CVE-2019-12418,CVE-2019-17563 are fixed in Apache - tomcat-embed-core for Linux 7.0.99Linux
Vulnerabilities CVE-2019-17563 are fixed in Apache - tomcat-embed-core for Linux 8.5.50Linux
Vulnerabilities CVE-2019-17563 are fixed in Apache - tomcat-embed-core for Linux 9.0.30Linux
Session Fixation Vulnerability (CVE-2019-17563)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234