Release Date: | 2016-02-22 | |
Impact: | Low | What is this? |
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.xbefore 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
See more information about CVE-2015-5346 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
Base Score: | 6.8 |
Vector String: | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Version: | 2.0 |
Attack Vector: | Network |
Attack Complexity: | Medium |
Authentication: | None |
Confidentiality Impact: | Partial |
Integrity Impact: | Partial |
Availability Impact: | Partial |
Platform | Errata | Release Date |
Oracle Linux version 7 (tomcat) | ELSA-2016-2046 | 2016-10-10 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: