CVE-2019-17563

Public on 2019-12-23

Modified on 2023-05-04

Description

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Severity

Important

See what this means

CVSS v3 Base Score

7.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	tomcat	2023-05-11 17:49	ALAS2-2023-2047
Amazon Linux 2 - Tomcat8.5 Extra	tomcat	2023-08-21 20:58	ALAS2TOMCAT8.5-2023-013
Amazon Linux 2 - Tomcat9 Extra	tomcat	2023-08-21 20:58	ALAS2TOMCAT9-2023-008
Amazon Linux 1	tomcat8	2020-01-14 18:18	ALAS-2020-1337

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD	CVSSv2	5.1	AV:N/AC:H/Au:N/C:P/I:P/A:P
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2019-17563 Mitre: CVE-2019-17563 FAQs regarding Amazon Linux ALAS/CVE Severity