java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
References
Link Providers
http://archives.neohapsis.com/archives/bugtraq/2013-05/0041.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0833.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0834.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0839.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0964.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1437.html cve-icon cve-icon
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1417891&r2=1417890&pathrev=1417891 cve-icon cve-icon
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1408044&r2=1408043&pathrev=1408044 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1408044 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1417891 cve-icon cve-icon
http://tomcat.apache.org/security-6.html cve-icon cve-icon
http://tomcat.apache.org/security-7.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html cve-icon cve-icon
http://www.securityfocus.com/bid/59799 cve-icon cve-icon
http://www.securityfocus.com/bid/64758 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1841-1 cve-icon cve-icon
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-2067 cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-2067 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-06-01T10:00:00

Updated: 2024-08-06T15:27:40.650Z

Reserved: 2013-02-19T00:00:00

Link: CVE-2013-2067

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2013-06-01T14:21:05.847

Modified: 2024-11-21T01:50:58.187

Link: CVE-2013-2067

cve-icon Redhat

Severity : Moderate

Publid Date: 2013-05-10T00:00:00Z

Links: CVE-2013-2067 - Bugzilla