CVE-2019-17563 Session fixation Severity: Low
Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.29 Apache Tomcat 8.5.0 to 8.5.49 Apache Tomcat 7.0.0 to 7.0.98 Description: When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. Mitigation: - Upgrade to Apache Tomcat 9.0.30 or later - Upgrade to Apache Tomcat 8.5.50 or later - Upgrade to Apache Tomcat 7.0.99 or later Credit: William Marlow (IBM). References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
