CVE-2019-17563 — HIGH (7.5)

Q: How severe is CVE-2019-17563?

CVE-2019-17563 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-17563?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux, Oracle Agile Engineering Data Management.

Vulnerability Description

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 7.0.0, <= 7.0.98
Debian	Debian Linux	8.0
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	16.04
Oracle	Agile Engineering Data Management	6.2.1.0
Oracle	Hyperion Infrastructure Technology	11.1.2.4
Oracle	Instantis Enterprisetrack	>= 17.1, <= 17.3
Oracle	Micros Relate Crm Software	11.4
Oracle	Mysql Enterprise Monitor	<= 4.0.11.5331
Oracle	Retail Order Broker	15.0
Oracle	Transportation Management	6.3.7

Related Weaknesses (CWE)

CWE-384

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.htmlThird Party Advisory
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cMailing ListVendor Advisory
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f67412
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a148555
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d
https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f492
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.htmlThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.htmlMailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Dec/43Mailing ListThird Party Advisory
https://security.gentoo.org/glsa/202003-43Third Party Advisory
https://security.netapp.com/advisory/ntap-20200107-0001/Third Party Advisory
https://usn.ubuntu.com/4251-1/Third Party Advisory
https://www.debian.org/security/2019/dsa-4596Third Party Advisory

FAQ

What is CVE-2019-17563?

CVE-2019-17563 is a vulnerability with a CVSS score of 7.5 (HIGH). When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The windo...

How severe is CVE-2019-17563?

CVE-2019-17563 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-17563?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux, Oracle Agile Engineering Data Management.