CVE-2014-0033

Priority
Low
Description
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33
through 6.0.37 does not consider the disableURLRewriting setting when
handling a session ID in a URL, which allows remote attackers to conduct
session fixation attacks via a crafted URL.
References
Bugs
Notes
mdeslaur> introduced by http://svn.apache.org/viewvc?view=rev&rev=1149220
mdeslaur> in 6.0.33
Assigned-to
mdeslaur
Package
Upstream:not-affected
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 13.10 (Saucy Salamander):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu 14.10 (Utopic Unicorn):not-affected
Package
Upstream:released (6.0.39)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (6.0.24-2ubuntu1.13)
Ubuntu 12.04 LTS (Precise Pangolin):released (6.0.35-1ubuntu3.4)
Ubuntu 13.10 (Saucy Salamander):ignored (reached end-of-life)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (6.0.39-1)
Ubuntu 14.10 (Utopic Unicorn):not-affected (6.0.39-1)
Patches:
Upstream:http://svn.apache.org/viewvc?view=rev&rev=1558822
More Information

Valid XHTML 1.0 Strict

Updated: 2014-07-17 15:17:32 UTC (commit 8246)