Back to bug 1311085
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Timothy Walsh | 2016-02-23 11:07:14 UTC | Fixed In Version | tomcat 7.0.67, | tomcat 7.0.67, tomcat 8.0.32 |
| Timothy Walsh | 2016-02-23 11:08:42 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=upstream,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-1/tomcat5=wontfix,jbews-1/tomcat6=wontfix,jbews-2/tomcat6=affected,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected,soap-4/jbossweb=wontfix,soap-5/jbossweb=wontfix | impact=low,public=20160222,reported=20140622,source=upstream,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected |
| Tomas Hoger | 2016-02-23 11:33:00 UTC | Summary | CVE-2015-5346 Apache Tomcat Session fixation | CVE-2015-5346 tomcat: Session fixation |
| Andrej Nemec | 2016-02-23 11:35:17 UTC | CC | anemec | |
| Andrej Nemec | 2016-02-23 12:02:43 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=upstream,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected |
| Andrej Nemec | 2016-02-23 12:09:21 UTC | Depends On | 1311095 | |
| Andrej Nemec | 2016-02-23 12:10:12 UTC | Depends On | 1311102 | |
| Andrej Nemec | 2016-02-23 12:15:38 UTC | Blocks | 1311109 | |
| Muhammad Azhar Shaikh | 2016-02-27 05:59:37 UTC | CC | mdshaikh | |
| Timothy Walsh | 2016-03-09 09:42:37 UTC | Depends On | 1316022 | |
| Timothy Walsh | 2016-03-09 09:42:47 UTC | Depends On | 1316023 | |
| Timothy Walsh | 2016-03-31 10:51:50 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected |
| Timothy Walsh | 2016-03-31 10:56:34 UTC | Depends On | 1322794 | |
| Timothy Walsh | 2016-03-31 10:56:43 UTC | Depends On | 1322795 | |
| Timothy Walsh | 2016-04-08 06:47:01 UTC | Doc Text | When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. | |
| Martin Prpič | 2016-04-13 13:37:32 UTC | Doc Text | When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. | |
| Timothy Walsh | 2016-04-18 05:55:09 UTC | Doc Text | It was found that Tomcat would not recycle the requestedSessionSSL field. This gave the client the ability to control the session ID. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. | |
| Timothy Walsh | 2016-05-05 11:26:56 UTC | Priority | low | medium |
| Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected | ||
| Severity | low | medium | ||
| Martin Prpič | 2016-05-06 09:15:34 UTC | Doc Text | It was found that Tomcat would not recycle the requestedSessionSSL field. This gave the client the ability to control the session ID. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. | A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. |
| Yasuhiro Ozone | 2016-06-09 05:38:55 UTC | CC | yozone | |
| Martin Poole | 2016-06-14 14:28:23 UTC | CC | mpoole | |
| Timothy Walsh | 2016-06-16 06:49:19 UTC | Depends On | 1347138 | |
| Timothy Walsh | 2016-06-16 06:49:23 UTC | Depends On | 1347139 | |
| Timothy Walsh | 2016-06-17 13:27:06 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-7/tomcat=affected |
| Pavel Polischouk | 2016-06-17 21:28:23 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=new,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-7/tomcat=affected |
| Coty Sutherland | 2016-07-01 11:58:33 UTC | Depends On | 1352009 | |
| Andrej Nemec | 2016-07-11 13:25:53 UTC | Priority | medium | low |
| Severity | medium | low | ||
| Timothy Walsh | 2016-07-25 13:13:10 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=notaffected,rhel-7/tomcat=affected |
| Timothy Walsh | 2016-10-05 12:05:26 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=wontfix,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=notaffected,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=notaffected,rhel-7/tomcat=affected |
| Timothy Walsh | 2016-10-05 12:06:25 UTC | Depends On | 1381946 | |
| Timothy Walsh | 2016-10-07 06:40:38 UTC | Blocks | 1382592 | |
| Timothy Walsh | 2016-11-16 05:18:56 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=notaffected,rhel-7/tomcat=affected | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=notaffected,rhel-7/tomcat=affected |
| Timothy Walsh | 2017-03-02 11:22:38 UTC | Blocks | 1428325 | |
| Timothy Walsh | 2017-03-02 11:53:05 UTC | Blocks | 1428325 | |
| Timothy Walsh | 2017-03-08 07:37:21 UTC | Blocks | 1318206 | |
| PnT Account Manager | 2018-02-06 19:23:34 UTC | CC | hfnukal | |
| PnT Account Manager | 2018-05-10 18:16:13 UTC | CC | pavelp | |
| PnT Account Manager | 2018-06-29 22:07:19 UTC | CC | kseifried | |
| PnT Account Manager | 2018-08-27 21:29:57 UTC | CC | mdshaikh | |
| PnT Account Manager | 2019-05-02 21:51:01 UTC | CC | anemec | |
| Product Security DevOps Team | 2019-06-08 02:48:37 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2019-06-08 02:48:37 UTC | |||
| Product Security DevOps Team | 2019-09-29 13:44:17 UTC | Whiteboard | impact=low,public=20160222,reported=20140622,source=bugtraq,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,soap-5/jbossweb=wontfix,brms-5/jbossweb=wontfix,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=new,fsw-6/jbossweb=wontfix,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=new,rhel-6/tomcat6=notaffected,rhel-7/tomcat=affected |
Back to bug 1311085