1. Home
  2. CVE Database
  3. CVE-2015-5351
HIGH · 8.8

CVE-2015-5351

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, whi...

Vulnerability Description

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
ApacheTomcat7.0.0
DebianDebian Linux7.0
CanonicalUbuntu Linux12.04

Related Weaknesses (CWE)

CWE-352

References

FAQ

What is CVE-2015-5351?

CVE-2015-5351 is a vulnerability with a CVSS score of 8.8 (HIGH). The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, whi...

How severe is CVE-2015-5351?

CVE-2015-5351 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-5351?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Canonical Ubuntu Linux.