CVE-2015-5346
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
8.1
HIGH
CVSS 3.1
EPSS 36.6%
Description
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
How to fix CVE-2015-5346
To remediate CVE-2015-5346, upgrade the affected package to a fixed version below.
- —upgrade to 9.0.0.M2 or later
Is CVE-2015-5346 being exploited?
Moderate — EPSS is 36.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 9.0.0.M1, < 9.0.0.M2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |