Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.29/207dc9ca4215853d96ed695862f9873001f02a4b/tomcat-embed-core-9.0.29.jar
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
CVE-2019-17563 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-9.0.29.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.29/207dc9ca4215853d96ed695862f9873001f02a4b/tomcat-embed-core-9.0.29.jar
Dependency Hierarchy: - spring-boot-starter-web-2.2.2.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-2.2.2.RELEASE.jar - :x: **tomcat-embed-core-9.0.29.jar** (Vulnerable Library)
Found in HEAD commit: 93cea0c4bf231775beaf3f218ea3158e496714a8
Found in base branch: master
Vulnerability Details
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
Publish Date: 2019-12-23
URL: CVE-2019-17563
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563
Release Date: 2019-12-23
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.30
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.3.RELEASE