Session Fixation Affecting org.apache.tomcat.embed:tomcat-embed-core package, versions [9.0.0.M1, 9.0.30) [8.5.0,8.5.50) [,7.0.99)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
20 Dec 2019
18 Dec 2019
William Marlow (IBM)
How to fix?
org.apache.tomcat.embed:tomcat-embed-core to version 9.0.30, 8.5.50, 7.0.99 or higher.
org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.
Affected versions of this package are vulnerable to Session Fixation. When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.