java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2013-2067 from the MITRE CVE dictionary dictionary and NIST NVD.
This flaw allows an attacker to circumvent a session fixation prevention mechanism which was implemented in tomcat 5.5.x >= 5.5.29, 6.0.x >= 6.0.21 and 7.x. Earlier versions of tomcat do not include this mechanism, and are therefore not affected by this flaw. JBoss Web as included in JBoss 5.x products also does not include this mechanism, and is not affected by this flaw.
Base Score | 2.6 |
---|---|
Base Metrics | AV:N/AC:H/Au:N/C:N/I:P/A:N |
Access Vector | Network |
Access Complexity | High |
Authentication | None |
Confidentiality Impact | None |
Integrity Impact | Partial |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Web Server 2.0 | RHSA-2013:1013 | 2013-07-03 |
Red Hat JBoss Portal Platform 6.1 | RHSA-2013:1437 | 2013-10-16 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) | RHSA-2013:0834 | 2013-05-20 |
Red Hat Enterprise Linux 6 (tomcat6) | RHSA-2013:0964 | 2013-06-20 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server | RHSA-2013:1012 | 2013-07-03 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server | RHSA-2013:1011 | 2013-07-03 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) | RHSA-2013:0839 | 2013-05-20 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Operations Network 3.1 | jbossweb | Not affected |
Red Hat JBoss EWS 1 | tomcat6 | Will not fix |
Red Hat JBoss EWS 1 | tomcat5 | Will not fix |
Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
Red Hat Enterprise Linux 5 | tomcat5 | Not affected |