CVE-2019-17563
First published: Wed Dec 18 2019(Updated: )
Apache Tomcat could allow a local attacker to hijack a user's session. By using the FORM authentication function, an attacker could exploit this vulnerability to gain access to another user's session.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat | <0:7.0.76-15.el7 | 0:7.0.76-15.el7 |
| redhat/tomcat | <0:7.0.76-11.el7_6 | 0:7.0.76-11.el7_6 |
| redhat/tomcat | <0:7.0.76-12.el7_7 | 0:7.0.76-12.el7_7 |
| redhat/tomcat7 | <0:7.0.70-38.ep7.el6 | 0:7.0.70-38.ep7.el6 |
| redhat/tomcat8 | <0:8.0.36-42.ep7.el6 | 0:8.0.36-42.ep7.el6 |
| redhat/tomcat-native | <0:1.2.23-21.redhat_21.ep7.el6 | 0:1.2.23-21.redhat_21.ep7.el6 |
| redhat/tomcat7 | <0:7.0.70-38.ep7.el7 | 0:7.0.70-38.ep7.el7 |
| redhat/tomcat8 | <0:8.0.36-42.ep7.el7 | 0:8.0.36-42.ep7.el7 |
| redhat/tomcat-native | <0:1.2.23-21.redhat_21.ep7.el7 | 0:1.2.23-21.redhat_21.ep7.el7 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el6 | 0:9.0.30-3.redhat_4.1.el6 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el6 | 0:1.2.23-4.redhat_4.el6 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el7 | 0:9.0.30-3.redhat_4.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el7 | 0:1.2.23-4.redhat_4.el7 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el8 | 0:9.0.30-3.redhat_4.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el8 | 0:1.2.23-4.redhat_4.el8 |
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u10 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2 | |
| IBM Data Risk Manager | <=2.0.6 | |
| redhat/tomcat | <7.0.99 | 7.0.99 |
| redhat/tomcat | <8.5.50 | 8.5.50 |
| redhat/tomcat | <9.0.30 | 9.0.30 |
| Apache Tomcat | >=7.0.0<=7.0.98 | |
| Apache Tomcat | >=8.5.0<=8.5.49 | |
| Apache Tomcat | >=9.0.0<=9.0.29 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| openSUSE Leap | =15.1 | |
| Canonical Ubuntu Linux | =16.04 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle Instantis Enterprisetrack | >=17.1<=17.3 | |
| Oracle Micros Relate Crm Software | =11.4 | |
| IBM Cognos Analytics | <=4.0.11.5331 | |
| IBM Cognos Analytics | >=8.0.0<=8.0.18.1217 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Transportation Management | =6.3.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/173558
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
- https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- https://seclists.org/bugtraq/2019/Dec/43
- https://security.gentoo.org/glsa/202003-43
- https://security.netapp.com/advisory/ntap-20200107-0001/
- https://usn.ubuntu.com/4251-1/
- https://www.debian.org/security/2019/dsa-4596
- https://www.debian.org/security/2020/dsa-4680
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://tomcat.apache.org/security-7.html
- https://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-9.html
- https://github.com/apache/tomcat/commit/ab72a10
- https://github.com/apache/tomcat/commit/e19a202
- https://github.com/apache/tomcat/commit/1ecba14
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1785712
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1785713
- http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.30
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.50
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.99
- http://mail-archives.apache.org/mod_mbox/www-announce/201912.mbox/%3C21b7a375-7297-581b-1f8e-06622d36775b@apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0860
- https://access.redhat.com/errata/RHSA-2020:0861
- https://access.redhat.com/security/cve/cve-2019-17563
- https://access.redhat.com/errata/RHSA-2020:1521
- https://access.redhat.com/errata/RHSA-2020:1520
- https://access.redhat.com/errata/RHSA-2020:4004
- https://access.redhat.com/errata/RHSA-2021:0882
- https://access.redhat.com/errata/RHSA-2021:1030
- https://bugzilla.redhat.com/show_bug.cgi?id=1785711
- https://www.cve.org/CVERecord?id=CVE-2019-17563 https://nvd.nist.gov/vuln/detail/CVE-2019-17563 http://mail-archives.apache.org/mod_mbox/www-announce/201912.mbox/%3C21b7a375-7297-581b-1f8e-06622d36775b@apache.org%3E http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.30 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.99 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.50
- https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652
- https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
- https://github.com/apache/tomcat/commit/ab72a106fe5d992abddda954e30849d7cf8cc583
- https://security-tracker.debian.org/tracker/CVE-2019-17563
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-17563?
CVE-2019-17563 is a vulnerability in Apache Tomcat that allows an attacker to potentially force a victim to use a valid user session, leading to session fixation.
What is the severity of CVE-2019-17563?
CVE-2019-17563 has a severity rating of high.
Which versions of Apache Tomcat are affected by CVE-2019-17563?
Apache Tomcat versions 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49, and 7.0.0 to 7.0.99 are affected by CVE-2019-17563.
How can I fix CVE-2019-17563?
To fix CVE-2019-17563, it is recommended to upgrade to Apache Tomcat version 9.0.30 or later, 8.5.50 or later, or 7.0.100 or later.
Where can I find more information about CVE-2019-17563?
You can find more information about CVE-2019-17563 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-17563), NIST NVD (https://nvd.nist.gov/vuln/detail/CVE-2019-17563), Apache Tomcat security advisories, and Red Hat errata (https://access.redhat.com/errata/RHSA-2020:4004).
- collector/redhat-cve
- collector/security-tracker-debian
- collector/ibm-support
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/author
- agent/severity
- agent/references
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-17563
- agent/software-canonical-lookup
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.98
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.49
- version/apache tomcat/9.0.0
- version/apache tomcat/9.0.29
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle micros relate crm software
- version/oracle micros relate crm software/11.4
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/4.0.11.5331
- version/oracle mysql enterprise monitor/8.0.0
- version/oracle mysql enterprise monitor/8.0.18.1217
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- canonical/oracle transportation management
- version/oracle transportation management/6.3.7