CVE-2015-5351 — Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by u · VulnScope

CVE-2015-5351

Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by using a token

8.8

HIGH

CVSS 3.1

EPSS 6.0%

Description

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

How to fix CVE-2015-5351

To remediate CVE-2015-5351, upgrade the affected package to a fixed version below.

—upgrade to 7.0.68 or later

Is CVE-2015-5351 being exploited?

Moderate — EPSS is 6.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 7.0.68

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (39)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5351
PATCHgithub.com/apache/tomcat
WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html