Descriptionjava/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
NVD CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE informationSUSE Bugzilla entries: 822177 [RESOLVED / FIXED], 831112 [RESOLVED / FIXED] SUSE Security Advisories:
- openSUSE-SU-2013:1307-1, published Wed, 7 Aug 2013 10:04:39 +0200 (CEST)
- openSUSE-SU-2013:1411-1, published Sun, 8 Sep 2013 18:04:38 +0200 (CEST)
List of released packages
|Product(s)||Fixed package version(s)||References|
|openSUSE Evergreen 11.4|| ||Patchnames: |