Page 9 of 42 results (0.010 seconds)

CVSS: 8.1EPSS: 0%CPEs: 72EXPL: 0

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. Vulnerabilidad de fijación de sesión en Apache Tomcat 7.x en versiones anteriores a 7.0.66, 8.x en versiones anteriores a 8.0.30 y 9.x en versiones anteriores a 9.0.0.M2, cuando se utilizan configuraciones de sesión diferentes para despliegues de múltiples versiones de la misma aplicación web, podría permitir a atacantes remotos secuestrar sesiones web aprovechando el uso de un campo requestedSessionSSL para una petición no intencionada, relacionado con CoyoteAdapter.java y Request.java. A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. • http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat.com/errata/RHSA-2016-2046.html http://rhn.redhat.com/errata/RHSA-2016-2807.html http://rhn.redhat.com/errata/RHSA-2016-2 •

CVSS: 8.8EPSS: 0%CPEs: 104EXPL: 0

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. La implementación de persistencia de sesión en Apache Tomcat 6.x en versiones anteriores a 6.0.45, 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.31 y 9.x en versiones anteriores a 9.0.0.M2 no maneja correctamente atributos de sesión, lo que permite a usuarios remotos autenticados eludir las restricciones de SecurityManager previstas y ejecutar código arbitrario en un contexto privilegiado a través de una aplicación web que sitúa un objeto manipulado en una sesión. It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. • http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://marc.info/?l=bugtraq&m=145974991225029&w=2 http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat.com/errata/RHSA-2016-2045.html http://rhn.redhat.com/errata/RHSA-2016 • CWE-264: Permissions, Privileges, and Access Controls CWE-290: Authentication Bypass by Spoofing •