vulnerability
Apache Tomcat: Low: Session Fixation (CVE-2015-5346)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Feb 23, 2016 | Feb 23, 2016 | Apr 14, 2025 |
Description
When recycling the Request object to use for a new request,
the requestedSessionSSL field was not recycled. This meant that
a session ID provided in the next request to be processed using the recycled
Request object could be used when it should not have been. This
gave the client the ability to control the session ID. In theory, this could
have been used as part of a session fixation attack but it would have been
hard to achieve as the attacker would not have been able to force the victim
to use the 'correct' Request object. It was also necessary for
at least one web application to be configured to use the SSL session ID as
the HTTP session ID. This is not a common configuration.
Solution(s)
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.