High severityNVD Advisory· Published Dec 23, 2019· Updated Aug 5, 2024
CVE-2019-17563
CVE-2019-17563
Description
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | < 7.0.99 | 7.0.99 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.0.0, < 8.5.50 | 8.5.50 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0, < 9.0.30 | 9.0.30 |
Affected products
25- osv-coords24 versionspkg:apk/chainguard/spark-3.5.0-compatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 3.5.0-r2+ 23 more
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 7.0.99
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.30-lp151.3.6.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.30-3.34.1
- (no CPE)range: < 9.0.30-4.10.1
- (no CPE)range: < 8.0.53-10.43.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 8.0.53-10.43.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- Apache Software Foundation/Apache Tomcatv5Range: 9.0.0.M1 to 9.0.29
Patches
Vulnerability mechanics
References
29- lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-9xcj-c8cr-8c3cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-17563ghsaADVISORY
- security.gentoo.org/glsa/202003-43ghsavendor-advisoryx_refsource_GENTOOWEB
- usn.ubuntu.com/4251-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4596ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2020/dsa-4680ghsavendor-advisoryx_refsource_DEBIANWEB
- lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/01/msg00024.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2020/05/msg00026.htmlghsamailing-listx_refsource_MLISTWEB
- seclists.org/bugtraq/2019/Dec/43ghsamailing-listx_refsource_BUGTRAQWEB
- security.netapp.com/advisory/ntap-20200107-0001ghsaWEB
- security.netapp.com/advisory/ntap-20200107-0001/mitrex_refsource_CONFIRM
- usn.ubuntu.com/4251-1ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.