CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
85.1%
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form
authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x
before 7.0.33 does not properly handle the relationships between
authentication requirements and sessions, which allows remote attackers to
inject a request into a session by sending this request during completion
of the login form, a variant of a session fixation attack.
mail-archives.apache.org/mod_mbox/tomcat-announce/201305.mbox/%[email protected]%3E
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
launchpad.net/bugs/cve/CVE-2013-2067
nvd.nist.gov/vuln/detail/CVE-2013-2067
security-tracker.debian.org/tracker/CVE-2013-2067
ubuntu.com/security/notices/USN-1841-1
www.cve.org/CVERecord?id=CVE-2013-2067