VIR Vulnerability Intelligence Relay

CVE-2015-5346

high
Published 2016-02-25 · Modified 2024-03-11
CVSS v3
8.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
6.8
VIR risk
8.1

Description

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Predictions

Exploit likelihood
88%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-5346

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://tomcat.apache.org/security-9.html

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://tomcat.apache.org/security-8.html

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://tomcat.apache.org/security-7.html

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2015-5346.html

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debian7.0affected
debian debian8.0affected
ubuntu ubuntu12.04affected
ubuntu ubuntu14.04affected
ubuntu ubuntu15.10affected
ubuntu ubuntu16.04affected
debian debianbookwormfixed0
debian debianbullseyefixed0
debian debianforkyfixed0
debian debiansidfixed0
debian debiantrixiefixed0

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.apache.tomcat:tomcat>=9.0.0.M1,<9.0.0.M29.0.0.M2
java Mavenorg.apache.tomcat:tomcat>=8.0.0.RC1,<8.0.318.0.31
java Mavenorg.apache.tomcat:tomcat>=7.0.0,<7.0.667.0.66

Application impact
VendorProductVersionsFixed
apache apachetomcat7.0.0
apache apachetomcat7.0.2
apache apachetomcat7.0.4
apache apachetomcat7.0.5
apache apachetomcat7.0.6
apache apachetomcat7.0.10
apache apachetomcat7.0.11
apache apachetomcat7.0.12
apache apachetomcat7.0.14
apache apachetomcat7.0.16
apache apachetomcat7.0.19
apache apachetomcat7.0.20
apache apachetomcat7.0.21
apache apachetomcat7.0.22
apache apachetomcat7.0.23
apache apachetomcat7.0.25
apache apachetomcat7.0.26
apache apachetomcat7.0.27
apache apachetomcat7.0.28
apache apachetomcat7.0.29
apache apachetomcat7.0.30
apache apachetomcat7.0.32
apache apachetomcat7.0.33
apache apachetomcat7.0.34
apache apachetomcat7.0.35
apache apachetomcat7.0.37
apache apachetomcat7.0.39
apache apachetomcat7.0.40
apache apachetomcat7.0.41
apache apachetomcat7.0.42
apache apachetomcat7.0.47
apache apachetomcat7.0.50
apache apachetomcat7.0.52
apache apachetomcat7.0.53
apache apachetomcat7.0.54
apache apachetomcat7.0.55
apache apachetomcat7.0.56
apache apachetomcat7.0.57
apache apachetomcat7.0.59
apache apachetomcat7.0.61
apache apachetomcat7.0.62
apache apachetomcat7.0.63
apache apachetomcat7.0.64
apache apachetomcat7.0.65
apache apachetomcat8.0.0
apache apachetomcat8.0.1
apache apachetomcat8.0.3
apache apachetomcat8.0.11
apache apachetomcat8.0.12
apache apachetomcat8.0.14
apache apachetomcat8.0.15
apache apachetomcat8.0.17
apache apachetomcat8.0.18
apache apachetomcat8.0.20
apache apachetomcat8.0.21
apache apachetomcat8.0.22
apache apachetomcat8.0.23
apache apachetomcat8.0.24
apache apachetomcat8.0.26
apache apachetomcat8.0.27
apache apachetomcat8.0.28
apache apachetomcat8.0.29
apache apachetomcat9.0.0

References

Verify integrity in audit chain (admin only). AS-IS.