What is CVE-2015-5346?

CVE-2015-5346 is a high-severity vulnerability in Apache Tomcat. CVSS score: 8.1/10. Published 2016-02-25.

How severe is CVE-2015-5346?

High severity. CVSS v3 base score is 8.1 out of 10.

Is CVE-2015-5346 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tomcat

CVE-2015-5346

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote at…

EPSS: 0.366 (97.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Tomcat — versions 7.0.0, 7.0.2, 7.0.4
Canonical Ubuntu_linux — versions 12.04, 14.04, 15.10
Debian Debian_linux — versions 7.0, 8.0
N/a — versions n/a

Public proof-of-concept exploits

References

secalert@redhat.com (x_refsource_CONFIRM)
GLSA-201705-09 (vendor-advisory, x_refsource_GENTOO)
20160222 [SECURITY] CVE-2015-5346 Apache Tomcat Session fixation (mailing-list, x_refsource_BUGTRAQ)
secalert@redhat.com (x_refsource_CONFIRM)
openSUSE-SU-2016:0865 (vendor-advisory, x_refsource_SUSE)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
USN-3024-1 (x_refsource_UBUNTU, vendor-advisory)
SUSE-SU-2016:0769 (vendor-advisory, x_refsource_SUSE)
DSA-3530 (vendor-advisory, x_refsource_DEBIAN)
secalert@redhat.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2015-5346?: CVE-2015-5346 is a high-severity vulnerability in Apache Tomcat. CVSS score: 8.1/10. Published 2016-02-25.
How severe is CVE-2015-5346?: High severity. CVSS v3 base score is 8.1 out of 10.
Is CVE-2015-5346 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.