CVE-2015-5346

Aliases:GHSA-jrcp-c39h-r29x
Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 25 Feb 2016, 01:00
Last modified:06 Aug 2024, 06:41

Vulnerability Summary

Overall Risk (default)
medium
40/100
CVSS Score
8.1 HIGH
v3.0 (nvd)
EPSS Score
36.59% HIGH
37% probability +0.27%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

25 Feb 2016, 01:00
Published
Vulnerability first disclosed
06 Aug 2024, 06:41
Last Modified
Vulnerability information updated

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

CVSS Metrics

  • v3.0HIGHScore: 8.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v2.0MEDIUMScore: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 36.59% Percentile: 97%

Affected Systems

  • UnknownTomcat

    7.0.0:beta | 7.0.2:beta | 7.0.4:beta | 7.0.5:beta | 7.0.6 | 7.0.10 | 7.0.11 | 7.0.12 | 7.0.14 | 7.0.16 | 7.0.19 | 7.0.20 | 7.0.21 | 7.0.22 | 7.0.23 | 7.0.25 | 7.0.26 | 7.0.27 | 7.0.28 | 7.0.29 | 7.0.30 | 7.0.32 | 7.0.33 | 7.0.34 | 7.0.35 | 7.0.37 | 7.0.39 | 7.0.40 | 7.0.41 | 7.0.42 | 7.0.47 | 7.0.50 | 7.0.52 | 7.0.53 | 7.0.54 | 7.0.55 | 7.0.56 | 7.0.57 | 7.0.59 | 7.0.61 | 7.0.62 | 7.0.63 | 7.0.64 | 7.0.65 | 8.0.0:rc1 | 8.0.0:rc10 | 8.0.0:rc3 | 8.0.0:rc5 | 8.0.1 | 8.0.3 | 8.0.11 | 8.0.12 | 8.0.14 | 8.0.15 | 8.0.17 | 8.0.18 | 8.0.20 | 8.0.21 | 8.0.22 | 8.0.23 | 8.0.24 | 8.0.26 | 8.0.27 | 8.0.28 | 8.0.29 | 9.0.0:milestone1

  • canonicalubuntu_linux

    12.04 | 14.04 | 15.10 | 16.04

  • debiandebian_linux

    7.0 | 8.0

  • org.apache.tomcattomcat

    ≥ 9.0.0.M1, < 9.0.0.M2 | ≥ 8.0.0.RC1, < 8.0.31 | ≥ 7.0.0, < 7.0.66

References (46)