Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2015-5351

Good to know:

icon

Date: February 24, 2016

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

Language: Java

Severity Score

Related Resources (44)

https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://www.debian.org/security/2016/dsa-3609
https://security.netapp.com/advisory/ntap-20180531-0001
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://web.archive.org/web/20160321234551/http://www.securitytracker.com/id/1035069
https://github.com/apache/tomcat
https://access.redhat.com/security/cve/CVE-2015-5351
http://tomcat.apache.org/security-8.html
http://www.securitytracker.com/id/1035069
https://nvd.nist.gov/vuln/detail/CVE-2015-5351
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://svn.apache.org/viewvc?view=revision&revision=1720652
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
https://web.archive.org/web/20161020161943/http://www.securityfocus.com/bid/83330
http://svn.apache.org/viewvc?view=revision&revision=1720655
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
https://bto.bluecoat.com/security-advisory/sa118
http://www.ubuntu.com/usn/USN-3024-1
http://svn.apache.org/viewvc?view=revision&revision=1720658
http://www.securityfocus.com/bid/83330
https://access.redhat.com/errata/RHSA-2016:1088
https://security.netapp.com/advisory/ntap-20180531-0001/
https://security.gentoo.org/glsa/201705-09
http://seclists.org/bugtraq/2016/Feb/148
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://tomcat.apache.org/security-7.html
https://access.redhat.com/errata/RHSA-2016:1087
http://www.debian.org/security/2016/dsa-3530
http://www.debian.org/security/2016/dsa-3552
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html
http://rhn.redhat.com/errata/RHSA-2016-1089.html
http://tomcat.apache.org/security-9.html
http://svn.apache.org/viewvc?view=revision&revision=1720663
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
http://svn.apache.org/viewvc?view=revision&revision=1720661
http://svn.apache.org/viewvc?view=revision&revision=1720660
http://rhn.redhat.com/errata/RHSA-2016-2808.html
https://www.mend.io/vulnerability-database/CVE-2015-5351

Severity Score

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Top Fix

icon

Upgrade Version

Upgrade to version 7.0.68,8.0.31,9.0.0.M2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us