First published: Wed Dec 18 2019(Updated: )
Apache Tomcat could allow a local attacker to hijack a user's session. By using the FORM authentication function, an attacker could exploit this vulnerability to gain access to another user's session.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/tomcat | <0:7.0.76-15.el7 | 0:7.0.76-15.el7 |
redhat/tomcat | <0:7.0.76-11.el7_6 | 0:7.0.76-11.el7_6 |
redhat/tomcat | <0:7.0.76-12.el7_7 | 0:7.0.76-12.el7_7 |
redhat/tomcat7 | <0:7.0.70-38.ep7.el6 | 0:7.0.70-38.ep7.el6 |
redhat/tomcat8 | <0:8.0.36-42.ep7.el6 | 0:8.0.36-42.ep7.el6 |
redhat/tomcat-native | <0:1.2.23-21.redhat_21.ep7.el6 | 0:1.2.23-21.redhat_21.ep7.el6 |
redhat/tomcat7 | <0:7.0.70-38.ep7.el7 | 0:7.0.70-38.ep7.el7 |
redhat/tomcat8 | <0:8.0.36-42.ep7.el7 | 0:8.0.36-42.ep7.el7 |
redhat/tomcat-native | <0:1.2.23-21.redhat_21.ep7.el7 | 0:1.2.23-21.redhat_21.ep7.el7 |
redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el6 | 0:9.0.30-3.redhat_4.1.el6 |
redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el6 | 0:1.2.23-4.redhat_4.el6 |
redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el7 | 0:9.0.30-3.redhat_4.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el7 | 0:1.2.23-4.redhat_4.el7 |
redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el8 | 0:9.0.30-3.redhat_4.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el8 | 0:1.2.23-4.redhat_4.el8 |
redhat/tomcat | <7.0.99 | 7.0.99 |
redhat/tomcat | <8.5.50 | 8.5.50 |
redhat/tomcat | <9.0.30 | 9.0.30 |
Apache Tomcat | >=7.0.0<=7.0.98 | |
Apache Tomcat | >=8.5.0<=8.5.49 | |
Apache Tomcat | >=9.0.0<=9.0.29 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
openSUSE Leap | =15.1 | |
Canonical Ubuntu Linux | =16.04 | |
Oracle Agile Engineering Data Management | =6.2.1.0 | |
Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
Oracle Instantis Enterprisetrack | >=17.1<=17.3 | |
Oracle Micros Relate Crm Software | =11.4 | |
Oracle Mysql Enterprise Monitor | <=4.0.11.5331 | |
Oracle Mysql Enterprise Monitor | >=8.0.0<=8.0.18.1217 | |
Oracle Retail Order Broker | =15.0 | |
Oracle Transportation Management | =6.3.7 | |
IBM Data Risk Manager | <=2.0.6 | |
debian/tomcat9 | 9.0.43-2~deb11u10 9.0.70-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2019-17563 is a vulnerability in Apache Tomcat that allows an attacker to potentially force a victim to use a valid user session, leading to session fixation.
CVE-2019-17563 has a severity rating of high.
Apache Tomcat versions 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49, and 7.0.0 to 7.0.99 are affected by CVE-2019-17563.
To fix CVE-2019-17563, it is recommended to upgrade to Apache Tomcat version 9.0.30 or later, 8.5.50 or later, or 7.0.100 or later.
You can find more information about CVE-2019-17563 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-17563), NIST NVD (https://nvd.nist.gov/vuln/detail/CVE-2019-17563), Apache Tomcat security advisories, and Red Hat errata (https://access.redhat.com/errata/RHSA-2020:4004).