CVE-2013-2067

Priority
Description
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form
authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x
before 7.0.33 does not properly handle the relationships between
authentication requirements and sessions, which allows remote attackers to
inject a request into a session by sending this request during completion
of the login form, a variant of a session fixation attack.
Notes
Package
Upstream:released (6.0.37)
Ubuntu 12.04 ESM (Precise Pangolin):released (6.0.35-1ubuntu3.3)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [6.0.39-1])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (6.0.39-1)
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1417891
Package
Upstream:released (7.0.33)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1408044
More Information

Updated: 2019-12-05 21:03:49 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)