vulnerability
Amazon Linux AMI: Security patch for tomcat7 (ALAS-2016-657) (multiple CVEs)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Feb 24, 2016 | Mar 11, 2016 | Jul 28, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Feb 24, 2016
Added
Mar 11, 2016
Modified
Jul 28, 2025
Description
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
Solutions
amazon-linux-upgrade-tomcat7amazon-linux-upgrade-tomcat7-admin-webappsamazon-linux-upgrade-tomcat7-docs-webappamazon-linux-upgrade-tomcat7-el-2-2-apiamazon-linux-upgrade-tomcat7-javadocamazon-linux-upgrade-tomcat7-jsp-2-2-apiamazon-linux-upgrade-tomcat7-libamazon-linux-upgrade-tomcat7-log4jamazon-linux-upgrade-tomcat7-servlet-3-0-apiamazon-linux-upgrade-tomcat7-webapps
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.