Описание
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| tomcat9 | not-affected | package | ||
| tomcat8 | fixed | 8.0.32-1 | package | |
| tomcat7 | fixed | 7.0.68-1 | package | |
| tomcat6 | fixed | 6.0.41-3 | package |
Примечания
Since 6.0.41-3, src:tomcat6 only builds a servlet and docs
Fixed in 7.0.68, 8.0.32, 9.0.0.M3
Upstream advisory does not make reference to 6.x but looking at the
upstream patches reveals that this issue is fixed since 6.0.45
http://svn.apache.org/viewvc?view=revision&revision=1720661
http://svn.apache.org/viewvc?view=revision&revision=1720663
EPSS
Связанные уязвимости
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by using a token
Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю обойти механизм защиты CSRF
EPSS