It was found that tomcat’s FORM authentication allowed a very small period in which an attacker could possibly force a victim to use a valid user session, or Session Fixation. While practical exploit of this issue is deemed highly improbable, an abundance of caution merits it be considered a flaw. The highest threat from this vulnerability is to system availability, but also threatens data confidentiality and integrity.
mail-archives.apache.org/mod_mbox/www-announce/201912.mbox/%[email protected]%3E
tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.30
bugzilla.redhat.com/show_bug.cgi?id=1785711
nvd.nist.gov/vuln/detail/CVE-2019-17563
tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.99
tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.50
www.cve.org/CVERecord?id=CVE-2019-17563