Home > Vulnerability Database > CVE-2015-5346

Mend.io Vulnerability Database

CVE-2015-5346

Good to know:

Date: February 24, 2016

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Language: Java

Severity Score

8.1

Related Resources (48)

Url: http://rhn.redhat.com/errata/RHSA-2016-2046.html

Url: https://github.com/apache/tomcat/commit/83679b99cd40caa401d173c8f8e72fc98eb5d5be

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

Url: https://github.com/apache/tomcat80/commit/c39b7ffc2145644f7f3cf9e3cd4aada5048e56a0

Url: http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Url: http://www.debian.org/security/2016/dsa-3609

Url: https://security.netapp.com/advisory/ntap-20180531-0001

Url: http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Url: https://web.archive.org/web/20160321234551/http://www.securitytracker.com/id/1035069

Url: https://web.archive.org/web/20160912063818/http://www.securityfocus.com/bid/83323

Url: https://github.com/apache/tomcat

Url: http://tomcat.apache.org/security-8.html

Url: http://www.securitytracker.com/id/1035069

Url: https://bz.apache.org/bugzilla/show_bug.cgi?id=58809

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

Url: http://svn.apache.org/viewvc?view=revision&revision=1723506

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

Url: https://bto.bluecoat.com/security-advisory/sa118

Url: http://www.ubuntu.com/usn/USN-3024-1

Url: https://access.redhat.com/errata/RHSA-2016:1088

Url: https://security.netapp.com/advisory/ntap-20180531-0001/

Url: https://access.redhat.com/security/cve/CVE-2015-5346

Url: https://security.gentoo.org/glsa/201705-09

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: http://tomcat.apache.org/security-7.html

Url: https://github.com/apache/tomcat/commit/04164c1f01b973e548d95511d417f414ca723cb8

Url: http://seclists.org/bugtraq/2016/Feb/143

Url: http://svn.apache.org/viewvc?view=revision&revision=1713187

Url: https://access.redhat.com/errata/RHSA-2016:1087

Url: http://www.debian.org/security/2016/dsa-3530

Url: http://www.debian.org/security/2016/dsa-3552

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

Url: http://rhn.redhat.com/errata/RHSA-2016-2807.html

Url: http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

Url: https://github.com/apache/tomcat80/commit/41fbee7ba15435a831f765597ff907c56ebf2169

Url: http://rhn.redhat.com/errata/RHSA-2016-1089.html

Url: http://tomcat.apache.org/security-9.html

Url: http://www.securityfocus.com/bid/83323

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-5346

Url: http://rhn.redhat.com/errata/RHSA-2016-2808.html

Url: http://svn.apache.org/viewvc?view=revision&revision=1713185

Url: http://svn.apache.org/viewvc?view=revision&revision=1713184

Url: https://github.com/apache/tomcat/commit/6287be37d8d06c320215c45f7e2b8380411692e0

Url: http://svn.apache.org/viewvc?view=revision&revision=1723414

Url: https://www.mend.io/vulnerability-database/CVE-2015-5346

Severity Score

8.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M21,8.0.30,7.0.66,org.apache.tomcat:tomcat-catalina:9.0.0.M21,8.0.30,7.0.66

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2015-5346

Good to know:

Date: February 24, 2016

Language: Java

Severity Score

Related Resources (48)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?