Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0033

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2014-0033
Last Modified 11 Dec 2014 10:00:13
Published 26 Feb 2014 09:55:08
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-0033

Summary

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

Vulnerable Systems

Application

  • Apache Tomcat 6.0.33

  • Apache Tomcat 6.0.34

  • Apache Tomcat 6.0.35

  • Apache Tomcat 6.0.36

  • Apache Tomcat 6.0.37


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1069919

CONFIRM - http://tomcat.apache.org/security-6.html

CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1558822

BID - 65769

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21678231

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677147

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675886

SECUNIA - 59873

SECUNIA - 59722

SECUNIA - 59036

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html

BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Related Patches

SUN122911-34 Solaris 10 SPARC: Apache 1.3 Patch

SUN122912-34 Solaris 10 x86: Apache 1.3 Patch


Last Updated: 27 May 2016 11:07:12