When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Tomcat | Apache | 7.0.0 (including) | 7.0.98 (including) |
Tomcat | Apache | 8.5.0 (including) | 8.5.49 (including) |
Tomcat | Apache | 9.0.0 (including) | 9.0.29 (including) |
Such a scenario is commonly observed when: