It was found that previous fixes in Tomcat 6 to path parameter handling introduced a regression that caused Tomcat to not properly disable URL rewriting to track session IDs when the disableURLRewriting option was enabled A man-in-the-middle attacker could potentially use this flaw to hijack a user's session ...
Several security issues were fixed in Tomcat ...
<!-- Start - Changes for Security Advisory Channel -->
Security Advisory ID
Initial Publication Date:
CVSS Base Score:
23 Jul 2015
CVSS v2: 78