CVE-2015-5346

8.1 HIGH

Published: February 25, 2016 Modified: May 06, 2026

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

Source: secalert@redhat.com

http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-1089.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2046.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2807.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2808.html

Source: secalert@redhat.com

http://seclists.org/bugtraq/2016/Feb/143

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1713184

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1713185

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1713187

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1723414

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1723506

Source: secalert@redhat.com

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-8.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-9.html

Source: secalert@redhat.com

Vendor Advisory

http://www.debian.org/security/2016/dsa-3530

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3552

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3609

Source: secalert@redhat.com

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Source: secalert@redhat.com

http://www.securityfocus.com/bid/83323

Source: secalert@redhat.com

http://www.securitytracker.com/id/1035069

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-3024-1

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2016:1087

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2016:1088

Source: secalert@redhat.com

https://bto.bluecoat.com/security-advisory/sa118

Source: secalert@redhat.com

https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://security.gentoo.org/glsa/201705-09

Source: secalert@redhat.com

https://security.netapp.com/advisory/ntap-20180531-0001/

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html