Vulnerability DatabaseCVE-2015-5346
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2015-5346
February 25, 2016
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
Related Resources (47)
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
http://rhn.redhat.com/errata/RHSA-2016-2046.html
http://rhn.redhat.com/errata/RHSA-2016-1089.html
http://svn.apache.org/viewvc?view=revision&revision=1713185
https://github.com/apache/tomcat
https://security.netapp.com/advisory/ntap-20180531-0001
https://github.com/apache/tomcat/commit/83679b99cd40caa401d173c8f8e72fc98eb5d5be
http://svn.apache.org/viewvc?view=revision&revision=1723506
http://svn.apache.org/viewvc?view=revision&revision=1723414
http://www.securitytracker.com/id/1035069
http://www.ubuntu.com/usn/USN-3024-1
https://web.archive.org/web/20160912063818/http://www.securityfocus.com/bid/83323
https://security.gentoo.org/glsa/201705-09
https://access.redhat.com/errata/RHSA-2016:1088
https://security.netapp.com/advisory/ntap-20180531-0001/
https://github.com/apache/tomcat80/commit/41fbee7ba15435a831f765597ff907c56ebf2169
http://www.debian.org/security/2016/dsa-3552
http://tomcat.apache.org/security-7.html
http://www.debian.org/security/2016/dsa-3609
http://tomcat.apache.org/security-8.html
https://github.com/apache/tomcat/commit/6287be37d8d06c320215c45f7e2b8380411692e0
https://web.archive.org/web/20160321234551/http://www.securitytracker.com/id/1035069
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
http://www.securityfocus.com/bid/83323
https://nvd.nist.gov/vuln/detail/CVE-2015-5346
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html
http://seclists.org/bugtraq/2016/Feb/143
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
http://svn.apache.org/viewvc?view=revision&revision=1713187
https://github.com/apache/tomcat80/commit/c39b7ffc2145644f7f3cf9e3cd4aada5048e56a0
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://tomcat.apache.org/security-9.html
https://access.redhat.com/errata/RHSA-2016:1087
http://svn.apache.org/viewvc?view=revision&revision=1713184
https://github.com/apache/tomcat/commit/04164c1f01b973e548d95511d417f414ca723cb8
http://www.debian.org/security/2016/dsa-3530
https://access.redhat.com/security/cve/CVE-2015-5346
https://bto.bluecoat.com/security-advisory/sa118
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
6.8
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
EPSS
Base Score:
36.17