CVE-2013-2067

Severity

5.3

Description

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2067

http://mail-archives.apache.org/mod_mbox/tomcat-announce/201305.mbox/%[email protected]%3E

Project

Apache Tomcat

Category

n/a

Tags

operational

Date Disclosed

2013-06-01

Date Discovered

2013-02-19

Apache Tomcat 7.0.x

First release:

2011-01-14

First release:

2021-03-31

0

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.6 7.0.8 7.0.11 7.0.12 7.0.14 7.0.16 7.0.19 7.0.20 7.0.21 7.0.22 7.0.23 7.0.25 7.0.26 7.0.27 7.0.28 7.0.29 7.0.30 7.0.32

Apache Tomcat 6.0.x

First release:

2007-02-28

First release:

2016-12-31

0

Support Lifecycle:

Namespace:

javax

6.0.13 6.0.14 6.0.16 6.0.18 6.0.20 6.0.24 6.0.26 6.0.28 6.0.29 6.0.30 6.0.32 6.0.33 6.0.35 6.0.36

Apache TomEE 1.5.x

First release:

2012-09-28

0

Support Lifecycle:

Namespace:

javax

Apache TomEE 1.0.x

First release:

2012-04-27

0

Support Lifecycle:

Namespace:

javax

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.