7.5
CVE-2019-17563
- EPSS 3.26%
- Published 23.12.2019 17:15:11
- Last modified 21.11.2024 04:32:32
- Source security@apache.org
- Teams watchlist Login
- Open Login
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
Data is provided by the National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version8.0
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts
Oracle ≫ Agile Engineering Data Management Version6.2.1.0
Oracle ≫ Hyperion Infrastructure Technology Version11.1.2.4
Oracle ≫ Instantis Enterprisetrack Version >= 17.1 <= 17.3
Oracle ≫ Micros Relate Crm Software Version11.4
Oracle ≫ Mysql Enterprise Monitor Version <= 4.0.11.5331
Oracle ≫ Mysql Enterprise Monitor Version >= 8.0.0 <= 8.0.18.1217
Oracle ≫ Retail Order Broker Version15.0
Oracle ≫ Transportation Management Version6.3.7
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.26% | 0.867 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 5.1 | 4.9 | 6.4 |
AV:N/AC:H/Au:N/C:P/I:P/A:P
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.