CVE-2019-17563

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.0 ≤
𝑥
≤ 7.0.98
apachetomcat
8.5.0 ≤
𝑥
≤ 8.5.49
apachetomcat
9.0.0 ≤
𝑥
≤ 9.0.29
debiandebian_linux
8.0
debiandebian_linux
9.0
debiandebian_linux
10.0
opensuseleap
15.1
canonicalubuntu_linux
16.04
oracleagile_engineering_data_management
6.2.1.0
oraclehyperion_infrastructure_technology
11.1.2.4
oracleinstantis_enterprisetrack
17.1 ≤
𝑥
≤ 17.3
oraclemicros_relate_crm_software
11.4
oraclemysql_enterprise_monitor
𝑥
≤ 4.0.11.5331
oraclemysql_enterprise_monitor
8.0.0 ≤
𝑥
≤ 8.0.18.1217
oracleretail_order_broker
15.0
oracletransportation_management
6.3.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.43-2~deb11u10
fixed
sid
9.0.95-1
fixed
stretch
ignored
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat7
bionic
needs-triage
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
needs-triage
xenial
needs-triage
tomcat8
bionic
needs-triage
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
Fixed 8.0.32-1ubuntu1.11
released
tomcat9
bionic
needs-triage
disco
ignored
eoan
ignored
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-admin-webapps
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-docs-webapp
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
tomcat-el-3_0-api
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-javadoc
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-lib
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-servlet-3_1-api
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
tomcat-servlet-4_0-api
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-webapps
suse enterprise sap 12 SP1
8.0.53-10.43.1
fixed
suse enterprise sap 12 SP2
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.27.1
fixed
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP1
8.0.53-10.43.1
fixed
suse enterprise server 12 SP2
8.0.53-29.27.1
fixed
suse enterprise server 12 SP3
8.0.53-29.27.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
tomcat
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-admin-webapps
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-docs-webapp
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-el-2.2-api
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-javadoc
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-jsp-2.2-api
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-jsvc
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-lib
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-servlet-3.0-api
RHEL 7
0:7.0.76-15.el7
fixed
tomcat-webapps
RHEL 7
0:7.0.76-15.el7
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
https://seclists.org/bugtraq/2019/Dec/43
https://security.gentoo.org/glsa/202003-43
https://security.netapp.com/advisory/ntap-20200107-0001/
https://usn.ubuntu.com/4251-1/
https://www.debian.org/security/2019/dsa-4596
https://www.debian.org/security/2020/dsa-4680
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
https://seclists.org/bugtraq/2019/Dec/43
https://security.gentoo.org/glsa/202003-43
https://security.netapp.com/advisory/ntap-20200107-0001/
https://usn.ubuntu.com/4251-1/
https://www.debian.org/security/2019/dsa-4596
https://www.debian.org/security/2020/dsa-4680
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html