CVE-2019-17563

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Published: Dec 23, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-17563
GHSA: GHSA-9xcj-c8cr-8c3c
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-384

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
apache / tomcat	7.0.0	7.0.98.x
apache / tomcat	8.5.0	8.5.49.x
apache / tomcat	9.0.0	9.0.29.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
opensuse / leap	15.1	15.1.x
canonical / ubuntu_linux	16.04	16.04.x
oracle / transportation_management	6.3.7	6.3.7.x
oracle / retail_order_broker	15.0	15.0.x
oracle / micros_relate_crm_software	11.4	11.4.x
oracle / instantis_enterprisetrack	17.1	17.3.x
oracle / hyperion_infrastructure_technology	11.1.2.4	11.1.2.4.x
oracle / agile_engineering_data_management	6.2.1.0	6.2.1.0.x
oracle / mysql_enterprise_monitor	-	4.0.11.5331.x
oracle / mysql_enterprise_monitor	8.0.0	8.0.18.1217.x
org.apache.tomcat.embed / tomcat-embed-core	-	7.0.99
org.apache.tomcat.embed / tomcat-embed-core	8.0.0	8.5.50
org.apache.tomcat.embed / tomcat-embed-core	9.0.0	9.0.30

Vulnerability Database

289,599

CVE-2019-17563