CVE-2013-2067
Improper Authentication in Apache Tomcat
EPSS 10.4%
Description
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
How to fix CVE-2013-2067
To remediate CVE-2013-2067, upgrade the affected package to a fixed version below.
- Maven/org.apache.tomcat:tomcat—upgrade to 6.0.37 or later
Is CVE-2013-2067 being exploited?
Moderate — EPSS is 10.4%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 6.0.21, < 6.0.37