Описание
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
Отчет
This flaw allows an attacker to circumvent a session fixation prevention mechanism which was implemented in tomcat 5.5.x >= 5.5.29, 6.0.x >= 6.0.21 and 7.x. Earlier versions of tomcat do not include this mechanism, and are therefore not affected by this flaw. JBoss Web as included in JBoss 5.x products also does not include this mechanism, and is not affected by this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | tomcat5 | Not affected | ||
| Red Hat JBoss Data Grid 6 | jbossweb | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | eap-5 | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | tomcat5 | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | tomcat6 | Will not fix | ||
| Red Hat JBoss Operations Network 3.1 | jbossweb | Not affected | ||
| Red Hat JBoss Portal 6 | jbossweb | Affected | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Fixed | RHSA-2013:0964 | 20.06.2013 |
| Red Hat JBoss Enterprise Application Platform 6.1 | Fixed | RHSA-2013:0833 | 20.05.2013 | |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-daemon-eap6 | Fixed | RHSA-2013:0839 | 20.05.2013 |
Показывать по
Дополнительная информация
Статус:
EPSS
2.6 Low
CVSS2
Связанные уязвимости
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
java/org/apache/catalina/authenticator/FormAuthenticator.java in the f ...
EPSS
2.6 Low
CVSS2