CVE-2015-5351

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.0:beta
apachetomcat
7.0.2:beta
apachetomcat
7.0.4:beta
apachetomcat
7.0.5:beta
apachetomcat
7.0.6
apachetomcat
7.0.10
apachetomcat
7.0.11
apachetomcat
7.0.12
apachetomcat
7.0.14
apachetomcat
7.0.16
apachetomcat
7.0.19
apachetomcat
7.0.20
apachetomcat
7.0.21
apachetomcat
7.0.22
apachetomcat
7.0.23
apachetomcat
7.0.25
apachetomcat
7.0.26
apachetomcat
7.0.27
apachetomcat
7.0.28
apachetomcat
7.0.29
apachetomcat
7.0.30
apachetomcat
7.0.32
apachetomcat
7.0.33
apachetomcat
7.0.34
apachetomcat
7.0.35
apachetomcat
7.0.37
apachetomcat
7.0.39
apachetomcat
7.0.40
apachetomcat
7.0.41
apachetomcat
7.0.42
apachetomcat
7.0.47
apachetomcat
7.0.50
apachetomcat
7.0.52
apachetomcat
7.0.53
apachetomcat
7.0.54
apachetomcat
7.0.55
apachetomcat
7.0.56
apachetomcat
7.0.57
apachetomcat
7.0.59
apachetomcat
7.0.61
apachetomcat
7.0.62
apachetomcat
7.0.63
apachetomcat
7.0.64
apachetomcat
7.0.65
apachetomcat
7.0.67
apachetomcat
8.0.0:rc1
apachetomcat
8.0.0:rc10
apachetomcat
8.0.0:rc3
apachetomcat
8.0.0:rc5
apachetomcat
8.0.1
apachetomcat
8.0.3
apachetomcat
8.0.11
apachetomcat
8.0.12
apachetomcat
8.0.14
apachetomcat
8.0.15
apachetomcat
8.0.17
apachetomcat
8.0.18
apachetomcat
8.0.20
apachetomcat
8.0.21
apachetomcat
8.0.22
apachetomcat
8.0.23
apachetomcat
8.0.24
apachetomcat
8.0.26
apachetomcat
8.0.27
apachetomcat
8.0.28
apachetomcat
8.0.29
apachetomcat
8.0.30
apachetomcat
9.0.0:milestone1
debiandebian_linux
7.0
debiandebian_linux
8.0
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.10
canonicalubuntu_linux
16.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.43-2~deb11u10
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat6
artful
dne
bionic
dne
precise
not-affected
trusty
Fixed 6.0.39-1ubuntu0.1
released
wily
ignored
xenial
not-affected
yakkety
dne
zesty
dne
tomcat7
artful
not-affected
bionic
not-affected
precise
ignored
trusty
Fixed 7.0.52-1ubuntu0.6
released
wily
Fixed 7.0.64-1ubuntu0.3
released
xenial
not-affected
yakkety
not-affected
zesty
not-affected
tomcat8
artful
not-affected
bionic
not-affected
precise
dne
trusty
dne
wily
ignored
xenial
not-affected
yakkety
not-affected
zesty
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-admin-webapps
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-docs-webapp
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-el-2_2-api
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
tomcat-el-3_0-api
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-javadoc
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-jsp-2_2-api
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-lib
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-servlet-3_0-api
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
tomcat-servlet-3_1-api
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
tomcat-servlet-4_0-api
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-webapps
suse enterprise sap 12
7.0.68-7.6.1
fixed
suse enterprise sap 12 SP1
8.0.32-3.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.68-7.6.1
fixed
suse enterprise server 12 SP1
8.0.32-3.1
fixed
suse enterprise server 12 SP2
8.0.36-11.4
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
tomcat
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-admin-webapps
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-docs-webapp
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-el-2.2-api
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-javadoc
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-jsp-2.2-api
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-jsvc
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-lib
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-servlet-3.0-api
RHEL 7
0:7.0.69-10.el7
fixed
tomcat-webapps
RHEL 7
0:7.0.69-10.el7
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html
http://rhn.redhat.com/errata/RHSA-2016-1089.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://seclists.org/bugtraq/2016/Feb/148
http://svn.apache.org/viewvc?view=revision&revision=1720652
http://svn.apache.org/viewvc?view=revision&revision=1720655
http://svn.apache.org/viewvc?view=revision&revision=1720658
http://svn.apache.org/viewvc?view=revision&revision=1720660
http://svn.apache.org/viewvc?view=revision&revision=1720661
http://svn.apache.org/viewvc?view=revision&revision=1720663
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://www.debian.org/security/2016/dsa-3530
http://www.debian.org/security/2016/dsa-3552
http://www.debian.org/security/2016/dsa-3609
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/bid/83330
http://www.securitytracker.com/id/1035069
http://www.ubuntu.com/usn/USN-3024-1
https://access.redhat.com/errata/RHSA-2016:1087
https://access.redhat.com/errata/RHSA-2016:1088
https://bto.bluecoat.com/security-advisory/sa118
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://security.gentoo.org/glsa/201705-09
https://security.netapp.com/advisory/ntap-20180531-0001/
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html
http://rhn.redhat.com/errata/RHSA-2016-1089.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://seclists.org/bugtraq/2016/Feb/148
http://svn.apache.org/viewvc?view=revision&revision=1720652
http://svn.apache.org/viewvc?view=revision&revision=1720655
http://svn.apache.org/viewvc?view=revision&revision=1720658
http://svn.apache.org/viewvc?view=revision&revision=1720660
http://svn.apache.org/viewvc?view=revision&revision=1720661
http://svn.apache.org/viewvc?view=revision&revision=1720663
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://www.debian.org/security/2016/dsa-3530
http://www.debian.org/security/2016/dsa-3552
http://www.debian.org/security/2016/dsa-3609
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/bid/83330
http://www.securitytracker.com/id/1035069
http://www.ubuntu.com/usn/USN-3024-1
https://access.redhat.com/errata/RHSA-2016:1087
https://access.redhat.com/errata/RHSA-2016:1088
https://bto.bluecoat.com/security-advisory/sa118
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://security.gentoo.org/glsa/201705-09
https://security.netapp.com/advisory/ntap-20180531-0001/
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021