java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 up to and including 6.0.36 and 7.x prior to 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote malicious users to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
apache tomcat 6.0.33 |
||
apache tomcat 6.0.21 |
||
apache tomcat 6.0.31 |
||
apache tomcat 6.0.29 |
||
apache tomcat 6.0.24 |
||
apache tomcat 6.0.32 |
||
apache tomcat 6.0.28 |
||
apache tomcat 6.0.30 |
||
apache tomcat 6.0.26 |
||
apache tomcat 6.0.27 |
||
apache tomcat 6.0.35 |
||
apache tomcat 6.0.36 |
||
apache tomcat 7.0.2 |
||
apache tomcat 7.0.12 |
||
apache tomcat 7.0.20 |
||
apache tomcat 7.0.8 |
||
apache tomcat 7.0.1 |
||
apache tomcat 7.0.5 |
||
apache tomcat 7.0.4 |
||
apache tomcat 7.0.22 |
||
apache tomcat 7.0.28 |
||
apache tomcat 7.0.0 |
||
apache tomcat 7.0.6 |
||
apache tomcat 7.0.18 |
||
apache tomcat 7.0.14 |
||
apache tomcat 7.0.11 |
||
apache tomcat 7.0.23 |
||
apache tomcat 7.0.7 |
||
apache tomcat 7.0.13 |
||
apache tomcat 7.0.30 |
||
apache tomcat 7.0.15 |
||
apache tomcat 7.0.19 |
||
apache tomcat 7.0.16 |
||
apache tomcat 7.0.10 |
||
apache tomcat 7.0.25 |
||
apache tomcat 7.0.32 |
||
apache tomcat 7.0.21 |
||
apache tomcat 7.0.17 |
||
apache tomcat 7.0.9 |
||
apache tomcat 7.0.3 |
Vulmon