CVE-2014-0033

Published: Feb 26, 2014Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

Affected (5)

Products: Apache: Tomcat

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 6.0.33
Apache Tomcat	Version 6.0.34
Apache Tomcat	Version 6.0.35
Apache Tomcat	Version 6.0.36
Apache Tomcat	Version 6.0.37

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (46)

http://seclists.org/fulldisclosure/2014/Dec/23

Source: secalert@redhat.com

http://secunia.com/advisories/59036

Source: secalert@redhat.com

http://secunia.com/advisories/59722

Source: secalert@redhat.com

http://secunia.com/advisories/59873

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1558822

Source: secalert@redhat.com

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

Vendor Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21675886

Source: secalert@redhat.com

http://www-01.ibm.com/support/docview.wss?uid=swg21677147

Source: secalert@redhat.com

http://www-01.ibm.com/support/docview.wss?uid=swg21678231

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3530

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/534161/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/bid/65769

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-2130-1

Source: secalert@redhat.com

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1069919

Source: secalert@redhat.com

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

http://seclists.org/fulldisclosure/2014/Dec/23

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/59036

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/59722

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/59873

Source: af854a3a-2127-422b-91ae-364da2661108

http://svn.apache.org/viewvc?view=revision&revision=1558822

Source: af854a3a-2127-422b-91ae-364da2661108

http://tomcat.apache.org/security-6.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21675886

Source: af854a3a-2127-422b-91ae-364da2661108

http://www-01.ibm.com/support/docview.wss?uid=swg21677147

Source: af854a3a-2127-422b-91ae-364da2661108

http://www-01.ibm.com/support/docview.wss?uid=swg21678231

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2016/dsa-3530

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/archive/1/534161/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/65769

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-2130-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=1069919

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.