{"id":"CVE-2019-17563","details":"When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.","aliases":["GHSA-9xcj-c8cr-8c3c"],"modified":"2026-05-18T05:50:40.846898416Z","published":"2019-12-23T17:15:11.803Z","related":["CGA-92h3-mvc7-5j8p","SUSE-SU-2020:0029-1","SUSE-SU-2020:0226-1","SUSE-SU-2020:0632-1","SUSE-SU-2020:1497-1","SUSE-SU-2020:1498-1","openSUSE-SU-2020:0038-1","openSUSE-SU-2024:11468-1","openSUSE-SU-2024:13441-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","vendor_product":"canonical:ubuntu_linux","cpes":["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"],"extracted_events":[{"last_affected":"16.04"}]},{"source":"CPE_FIELD","vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.0"},{"last_affected":"9.0"},{"last_affected":"10.0"}]},{"source":"CPE_FIELD","vendor_product":"opensuse:leap","cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"15.1"}]},{"vendor_product":"oracle:agile_engineering_data_management","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"6.2.1.0"}]},{"vendor_product":"oracle:hyperion_infrastructure_technology","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"11.1.2.4"}]},{"vendor_product":"oracle:instantis_enterprisetrack","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"17.1"},{"last_affected":"17.3"}]},{"vendor_product":"oracle:micros_relate_crm_software","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"11.4"}]},{"source":"CPE_FIELD","vendor_product":"oracle:mysql_enterprise_monitor","cpes":["cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"4.0.11.5331"},{"introduced":"8.0.0"},{"last_affected":"8.0.18.1217"}]},{"vendor_product":"oracle:retail_order_broker","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"15.0"}]},{"vendor_product":"oracle:transportation_management","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"6.3.7"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Dec/43"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-43"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200107-0001/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4251-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4596"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4680"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"fde40d7e0c7a1b0b2423cb84ad220a5d98b65591"},{"introduced":"e37b977db6f47e4380ad67114a49e8568951c953"},{"last_affected":"e0c759f3bd47e06b9d526ed40ed9d1e923f464b6"},{"introduced":"16bf392c67833ad549733b58c350ff92b5ee782a"},{"last_affected":"d628ee1e6e1121d60b4990239c242d0e18a25e42"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"7.0.0"},{"last_affected":"7.0.98"},{"introduced":"8.5.0"},{"last_affected":"8.5.49"},{"introduced":"9.0.0"},{"last_affected":"9.0.29"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17563.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}