1. Home
  2. CVE Database
  3. CVE-2015-5346
HIGH · 8.1

CVE-2015-5346

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same...

Vulnerability Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

CVSS Score

8.1

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
ApacheTomcat7.0.0
CanonicalUbuntu Linux12.04
DebianDebian Linux7.0

References

FAQ

What is CVE-2015-5346?

CVE-2015-5346 is a vulnerability with a CVSS score of 8.1 (HIGH). Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same...

How severe is CVE-2015-5346?

CVE-2015-5346 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-5346?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Canonical Ubuntu Linux, Debian Debian Linux.