Session Fixation Vulnerability in Apache Tomcat 7.0.0 to 7.0.98, 8.5.0 to 8.5.49, and 9.0.0.M1 to 9.0.29

Session Fixation Vulnerability in Apache Tomcat 7.0.0 to 7.0.98, 8.5.0 to 8.5.49, and 9.0.0.M1 to 9.0.29

CVE-2019-17563 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Learn more about our Cis Benchmark Audit For Apache Http Server.