Session Fixation

CVE-2019-17563

High

7.5/10

Summary

When using FORM authentication with Apache Tomcat before 7.0.99, 8.x before 8.5.50 and 9.x before 9.0.30 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

Release Note
Advisory

Advisory Timeline

Published Dec 23, 2019

Session Fixation

CVE-2019-17563

Summary

CWE-384 - Session Fixation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS