// For flags

CVE-2019-17563

tomcat: Session fixation when using FORM authentication

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Cuando se usa la autenticación FORM con Apache Tomcat 9.0.0.M1 hasta 9.0.29, 8.5.0 hasta 8.5.49 y 7.0.0 hasta 7.0.98, había una ventana estrecha donde un atacante podía llevar a cabo un ataque de fijación de sesión. La ventana fue considerada demasiado estrecha para que una explotación sea práctica, pero, por precaución, este problema ha sido tratado como una vulnerabilidad de seguridad.

It was found that tomcat's FORM authentication allowed a very small period in which an attacker could possibly force a victim to use a valid user session, or Session Fixation. While practical exploit of this issue is deemed highly improbable, an abundance of caution merits it be considered a flaw. The highest threat from this vulnerability is to system availability, but also threatens data confidentiality and integrity.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-10-14 CVE Reserved
  • 2019-12-23 CVE Published
  • 2024-06-20 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-384: Session Fixation
CAPEC
References (21)
URL Tag Source
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html Mailing List
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html Mailing List
https://seclists.org/bugtraq/2019/Dec/43 Mailing List
https://security.netapp.com/advisory/ntap-20200107-0001 Third Party Advisory
URL Date SRC
URL Date SRC
https://www.oracle.com/security-alerts/cpuapr2020.html 2023-11-07
https://www.oracle.com/security-alerts/cpujan2021.html 2023-11-07
https://www.oracle.com/security-alerts/cpujul2020.html 2023-11-07
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html 2023-11-07
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E 2023-11-07
https://security.gentoo.org/glsa/202003-43 2023-11-07
https://usn.ubuntu.com/4251-1 2023-11-07
https://www.debian.org/security/2019/dsa-4596 2023-11-07
https://www.debian.org/security/2020/dsa-4680 2023-11-07
https://access.redhat.com/security/cve/CVE-2019-17563 2021-03-30
https://bugzilla.redhat.com/show_bug.cgi?id=1785711 2021-03-30
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 >= 7.0.0 <= 7.0.98
Search vendor "Apache" for product "Tomcat" and version " >= 7.0.0 <= 7.0.98"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 >= 8.5.0 <= 8.5.49
Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 <= 8.5.49"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 >= 9.0.0 <= 9.0.29
Search vendor "Apache" for product "Tomcat" and version " >= 9.0.0 <= 9.0.29"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Opensuse
Search vendor "Opensuse"
 Leap
Search vendor "Opensuse" for product "Leap"
 15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Oracle
Search vendor "Oracle"
 Agile Engineering Data Management
Search vendor "Oracle" for product "Agile Engineering Data Management"
 6.2.1.0
Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0"
-
Affected
Oracle
Search vendor "Oracle"
 Hyperion Infrastructure Technology
Search vendor "Oracle" for product "Hyperion Infrastructure Technology"
 11.1.2.4
Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version "11.1.2.4"
-
Affected
Oracle
Search vendor "Oracle"
 Instantis Enterprisetrack
Search vendor "Oracle" for product "Instantis Enterprisetrack"
 >= 17.1 <= 17.3
Search vendor "Oracle" for product "Instantis Enterprisetrack" and version " >= 17.1 <= 17.3"
-
Affected
Oracle
Search vendor "Oracle"
 Micros Relate Crm Software
Search vendor "Oracle" for product "Micros Relate Crm Software"
 11.4
Search vendor "Oracle" for product "Micros Relate Crm Software" and version "11.4"
-
Affected
Oracle
Search vendor "Oracle"
 Mysql Enterprise Monitor
Search vendor "Oracle" for product "Mysql Enterprise Monitor"
 <= 4.0.11.5331
Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 4.0.11.5331"
-
Affected
Oracle
Search vendor "Oracle"
 Mysql Enterprise Monitor
Search vendor "Oracle" for product "Mysql Enterprise Monitor"
 >= 8.0.0 <= 8.0.18.1217
Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " >= 8.0.0 <= 8.0.18.1217"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Order Broker
Search vendor "Oracle" for product "Retail Order Broker"
 15.0
Search vendor "Oracle" for product "Retail Order Broker" and version "15.0"
-
Affected
Oracle
Search vendor "Oracle"
 Transportation Management
Search vendor "Oracle" for product "Transportation Management"
 6.3.7
Search vendor "Oracle" for product "Transportation Management" and version "6.3.7"
-
Affected