High severity8.1NVD Advisory· Published Feb 25, 2016· Updated May 6, 2026
CVE-2015-5346
CVE-2015-5346
Description
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 9.0.0.M1, < 9.0.0.M2 | 9.0.0.M2 |
org.apache.tomcat:tomcatMaven | >= 8.0.0.RC1, < 8.0.31 | 8.0.31 |
org.apache.tomcat:tomcatMaven | >= 7.0.0, < 7.0.66 | 7.0.66 |
Affected products
72cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*+ 65 more
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Patches
5c39b7ffc2145Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
3 files changed · +16 −4
java/org/apache/catalina/connector/CoyoteAdapter.java+1 −1 modified@@ -951,8 +951,8 @@ protected boolean postParseRequest(org.apache.coyote.Request req, Request reques // Recycle cookies and session info in case the // correct context is configured with different // settings - req.getCookies().recycle(); request.recycleSessionInfo(); + request.recycleCookieInfo(true); } break; }
java/org/apache/catalina/connector/Request.java+11 −3 modified@@ -477,8 +477,6 @@ public void recycle() { parts = null; } partsParseException = null; - cookiesParsed = false; - cookiesConverted = false; locales.clear(); localesParsed = false; secure = false; @@ -492,9 +490,9 @@ public void recycle() { attributes.clear(); sslAttributesParsed = false; notes.clear(); - cookies = null; recycleSessionInfo(); + recycleCookieInfo(false); if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { parameterMap = new ParameterMap<>(); @@ -554,6 +552,16 @@ protected void recycleSessionInfo() { } + protected void recycleCookieInfo(boolean recycleCoyote) { + cookiesParsed = false; + cookiesConverted = false; + cookies = null; + if (recycleCoyote) { + getCoyoteRequest().getCookies().recycle(); + } + } + + public boolean read() throws IOException { return (inputBuffer.realReadBytes(null, 0, 0) > 0); }
webapps/docs/changelog.xml+4 −0 modified@@ -114,6 +114,10 @@ Fix declaration of <code>localPort</code> attribute of Connector MBean: it is read-only. (kkolinko) </fix> + <fix> + <bug>58809/bug>: Correctly recycle cookies when mapping requests for + parallel deployment. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper">
04164c1f01b9Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
2 files changed · +12 −4
java/org/apache/catalina/connector/CoyoteAdapter.java+1 −1 modified@@ -719,8 +719,8 @@ protected boolean postParseRequest(org.apache.coyote.Request req, Request reques // Recycle cookies and session info in case the // correct context is configured with different // settings - req.getCookies().recycle(); request.recycleSessionInfo(); + request.recycleCookieInfo(true); } break; }
java/org/apache/catalina/connector/Request.java+11 −3 modified@@ -452,8 +452,6 @@ public void recycle() { parts = null; } partsParseException = null; - cookiesParsed = false; - cookiesConverted = false; locales.clear(); localesParsed = false; secure = false; @@ -467,9 +465,9 @@ public void recycle() { attributes.clear(); sslAttributesParsed = false; notes.clear(); - cookies = null; recycleSessionInfo(); + recycleCookieInfo(false); if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { parameterMap = new ParameterMap<>(); @@ -520,6 +518,16 @@ protected void recycleSessionInfo() { } + protected void recycleCookieInfo(boolean recycleCoyote) { + cookiesParsed = false; + cookiesConverted = false; + cookies = null; + if (recycleCoyote) { + getCoyoteRequest().getCookies().recycle(); + } + } + + // -------------------------------------------------------- Request Methods /**
6287be37d8d0Handle the unlikely case where different versions of a web application are deployed with different session settings
3 files changed · +26 −17
java/org/apache/catalina/connector/CoyoteAdapter.java+3 −0 modified@@ -781,6 +781,9 @@ protected boolean postParseRequest(org.apache.coyote.Request req, // Reset mapping request.getMappingData().recycle(); mapRequired = true; + // Recycle session info in case the correct + // context is configured with different settings + request.recycleSessionInfo(); } break; }
java/org/apache/catalina/connector/Request.java+19 −17 modified@@ -500,18 +500,7 @@ public void recycle() { notes.clear(); cookies = null; - if (session != null) { - try { - session.endAccess(); - } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); - } - } - session = null; - requestedSessionCookie = false; - requestedSessionId = null; - requestedSessionURL = false; + recycleSessionInfo(); if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { parameterMap = new ParameterMap<String, String[]>(); @@ -559,11 +548,24 @@ public void clearEncoders() { } - /** - * Clear cached encoders (to save memory for Comet requests). - */ - public boolean read() - throws IOException { + protected void recycleSessionInfo() { + if (session != null) { + try { + session.endAccess(); + } catch (Throwable t) { + ExceptionUtils.handleThrowable(t); + log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); + } + } + session = null; + requestedSessionCookie = false; + requestedSessionId = null; + requestedSessionURL = false; + requestedSessionSSL = false; + } + + + public boolean read() throws IOException { return (inputBuffer.realReadBytes(null, 0, 0) > 0); }
webapps/docs/changelog.xml+4 −0 modified@@ -127,6 +127,10 @@ <bug>58582</bug>: Combined realm should perform background processing on its sub-realms. Based upon a patch provided by Aidan. (kkolinko) </fix> + <fix> + Handle the unlikely case where different versions of a web application + are deployed with different session settings. (markt) + </fix> </changelog> </subsection> <subsection name="Cluster">
41fbee7ba154Handle the unlikely case where different versions of a web application are deployed with different session settings
3 files changed · +27 −19
java/org/apache/catalina/connector/CoyoteAdapter.java+4 −2 modified@@ -939,9 +939,11 @@ protected boolean postParseRequest(org.apache.coyote.Request req, Request reques // Reset mapping request.getMappingData().recycle(); mapRequired = true; - // Recycle cookies in case correct context is - // configured with different settings + // Recycle cookies and session info in case the + // correct context is configured with different + // settings req.getCookies().recycle(); + request.recycleSessionInfo(); } break; }
java/org/apache/catalina/connector/Request.java+19 −17 modified@@ -491,18 +491,7 @@ public void recycle() { notes.clear(); cookies = null; - if (session != null) { - try { - session.endAccess(); - } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); - } - } - session = null; - requestedSessionCookie = false; - requestedSessionId = null; - requestedSessionURL = false; + recycleSessionInfo(); if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { parameterMap = new ParameterMap<>(); @@ -545,11 +534,24 @@ public void clearEncoders() { } - /** - * Clear cached encoders (to save memory for Comet requests). - */ - public boolean read() - throws IOException { + protected void recycleSessionInfo() { + if (session != null) { + try { + session.endAccess(); + } catch (Throwable t) { + ExceptionUtils.handleThrowable(t); + log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); + } + } + session = null; + requestedSessionCookie = false; + requestedSessionId = null; + requestedSessionURL = false; + requestedSessionSSL = false; + } + + + public boolean read() throws IOException { return (inputBuffer.realReadBytes(null, 0, 0) > 0); }
webapps/docs/changelog.xml+4 −0 modified@@ -157,6 +157,10 @@ <bug>58582</bug>: Combined realm should perform background processing on its sub-realms. Based upon a patch provided by Aidan. (schultz) </fix> + <fix> + Handle the unlikely case where different versions of a web application + are deployed with different session settings. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote">
83679b99cd40Handle the unlikely case where different versions of a web application are deployed with different session settings
2 files changed · +22 −14
java/org/apache/catalina/connector/CoyoteAdapter.java+4 −2 modified@@ -757,9 +757,11 @@ protected boolean postParseRequest(org.apache.coyote.Request req, Request reques // Reset mapping request.getMappingData().recycle(); mapRequired = true; - // Recycle cookies in case correct context is - // configured with different settings + // Recycle cookies and session info in case the + // correct context is configured with different + // settings req.getCookies().recycle(); + request.recycleSessionInfo(); } break; }
java/org/apache/catalina/connector/Request.java+18 −12 modified@@ -468,18 +468,7 @@ public void recycle() { notes.clear(); cookies = null; - if (session != null) { - try { - session.endAccess(); - } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); - } - } - session = null; - requestedSessionCookie = false; - requestedSessionId = null; - requestedSessionURL = false; + recycleSessionInfo(); if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { parameterMap = new ParameterMap<>(); @@ -513,6 +502,23 @@ public void recycle() { } + protected void recycleSessionInfo() { + if (session != null) { + try { + session.endAccess(); + } catch (Throwable t) { + ExceptionUtils.handleThrowable(t); + log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); + } + } + session = null; + requestedSessionCookie = false; + requestedSessionId = null; + requestedSessionURL = false; + requestedSessionSSL = false; + } + + // -------------------------------------------------------- Request Methods /**
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
46- tomcat.apache.org/security-7.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-8.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-9.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-jrcp-c39h-r29xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-5346ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.htmlnvdWEB
- packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-1089.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2046.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2807.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2808.htmlnvdWEB
- seclists.org/bugtraq/2016/Feb/143nvdWEB
- svn.apache.org/viewvcnvdWEB
- svn.apache.org/viewvcnvdWEB
- svn.apache.org/viewvcnvdWEB
- svn.apache.org/viewvcnvdWEB
- svn.apache.org/viewvcnvdWEB
- www.debian.org/security/2016/dsa-3530nvdWEB
- www.debian.org/security/2016/dsa-3552nvdWEB
- www.debian.org/security/2016/dsa-3609nvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdWEB
- www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlnvdWEB
- www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlnvdWEB
- www.ubuntu.com/usn/USN-3024-1nvdWEB
- access.redhat.com/errata/RHSA-2016:1087nvdWEB
- access.redhat.com/errata/RHSA-2016:1088nvdWEB
- bto.bluecoat.com/security-advisory/sa118nvdWEB
- bz.apache.org/bugzilla/show_bug.cginvdWEB
- github.com/apache/tomcat/commit/04164c1f01b973e548d95511d417f414ca723cb8ghsaWEB
- github.com/apache/tomcat/commit/6287be37d8d06c320215c45f7e2b8380411692e0ghsaWEB
- github.com/apache/tomcat/commit/83679b99cd40caa401d173c8f8e72fc98eb5d5beghsaWEB
- github.com/apache/tomcat80/commit/41fbee7ba15435a831f765597ff907c56ebf2169ghsaWEB
- github.com/apache/tomcat80/commit/c39b7ffc2145644f7f3cf9e3cd4aada5048e56a0ghsaWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.gentoo.org/glsa/201705-09nvdWEB
- security.netapp.com/advisory/ntap-20180531-0001ghsaWEB
- web.archive.org/web/20160321234551/http://www.securitytracker.com/id/1035069ghsaWEB
- web.archive.org/web/20160912063818/http://www.securityfocus.com/bid/83323ghsaWEB
- www.securityfocus.com/bid/83323nvd
- www.securitytracker.com/id/1035069nvd
- security.netapp.com/advisory/ntap-20180531-0001/nvd
News mentions
0No linked articles in our index yet.