Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2015-5346

Improper Neutralization of Input During Web Page Generation in Apache Tomcat

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Base CVSS

8.1

EPSS Score

19.18%

Introduced Version

7.0.5

Fix Available

9.0.0.M2,7.0.67,8.0.32,9.0.0.M3

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

org.apache.tomcat:tomcat-catalina

References

http://svn.apache.org/viewvc?view=revision&revision=1723506

http://svn.apache.org/viewvc?view=revision&revision=1723414

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

https://github.com/apache/tomcat/commit/04164c1f01b973e548d95511d417f414ca723cb8

https://web.archive.org/web/20160321234551/http://www.securitytracker.com/id/1035069

https://github.com/apache/tomcat80/commit/41fbee7ba15435a831f765597ff907c56ebf2169

http://svn.apache.org/viewvc?view=revision&revision=1713184

http://seclists.org/bugtraq/2016/Feb/143

https://github.com/apache/tomcat80/commit/c39b7ffc2145644f7f3cf9e3cd4aada5048e56a0

http://svn.apache.org/viewvc?view=revision&revision=1713185

https://web.archive.org/web/20160912063818/http://www.securityfocus.com/bid/83323

http://svn.apache.org/viewvc?view=revision&revision=1713187

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

https://github.com/apache/tomcat/commit/6287be37d8d06c320215c45f7e2b8380411692e0

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

https://github.com/apache/tomcat/commit/83679b99cd40caa401d173c8f8e72fc98eb5d5be

http://rhn.redhat.com/errata/RHSA-2016-2046.html

https://nvd.nist.gov/vuln/detail/CVE-2015-5346

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://www.ubuntu.com/usn/USN-3024-1

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://tomcat.apache.org/security-8.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://tomcat.apache.org/security-9.html

http://tomcat.apache.org/security-7.html

http://www.debian.org/security/2016/dsa-3530

http://rhn.redhat.com/errata/RHSA-2016-1089.html

http://www.debian.org/security/2016/dsa-3609

http://rhn.redhat.com/errata/RHSA-2016-2807.html

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

http://www.debian.org/security/2016/dsa-3552

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://access.redhat.com/errata/RHSA-2016:1087

https://bto.bluecoat.com/security-advisory/sa118

https://access.redhat.com/errata/RHSA-2016:1088

https://security.netapp.com/advisory/ntap-20180531-0001

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

https://security.gentoo.org/glsa/201705-09

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

https://github.com/apache/tomcat

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.