{"id":"CVE-2019-17563","details":"When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.","aliases":["GHSA-9xcj-c8cr-8c3c"],"modified":"2026-04-09T06:36:42.584033Z","published":"2019-12-23T17:15:11.803Z","related":["CGA-92h3-mvc7-5j8p","MGASA-2020-0054","SUSE-SU-2020:0029-1","SUSE-SU-2020:0226-1","SUSE-SU-2020:0632-1","SUSE-SU-2020:1497-1","SUSE-SU-2020:1498-1","openSUSE-SU-2020:0038-1","openSUSE-SU-2024:11468-1","openSUSE-SU-2024:13441-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4251-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4680"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Dec/43"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200107-0001/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4596"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-43"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"fde40d7e0c7a1b0b2423cb84ad220a5d98b65591"},{"introduced":"e37b977db6f47e4380ad67114a49e8568951c953"},{"last_affected":"e0c759f3bd47e06b9d526ed40ed9d1e923f464b6"},{"introduced":"16bf392c67833ad549733b58c350ff92b5ee782a"},{"last_affected":"d628ee1e6e1121d60b4990239c242d0e18a25e42"},{"introduced":"0"},{"last_affected":"16bf392c67833ad549733b58c350ff92b5ee782a"},{"introduced":"0"},{"last_affected":"4c8b650437e2464c1c31c6598a263b3805b7a81f"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"last_affected":"7.0.98"},{"introduced":"8.5.0"},{"last_affected":"8.5.49"},{"introduced":"9.0.0"},{"last_affected":"9.0.29"},{"introduced":"0"},{"last_affected":"9.0"},{"introduced":"0"},{"last_affected":"10.0"}]}}],"versions":["10.0.0","7.0.98","8.5.49","9.0.0","9.0.29"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17563.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2.4"}]},{"events":[{"introduced":"17.1"},{"last_affected":"17.3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.11.5331"}]},{"events":[{"introduced":"8.0.0"},{"last_affected":"8.0.18.1217"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3.7"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}