Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-9xcj-c8cr-8c3c

GitHub Security Advisory

In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Affected Packages

Maven org.apache.tomcat.embed:tomcat-embed-core
Affected versions: 0 (fixed in 7.0.99)
Maven org.apache.tomcat.embed:tomcat-embed-core
Affected versions: 8.0.0 (fixed in 8.5.50)
Maven org.apache.tomcat.embed:tomcat-embed-core
Affected versions: 9.0.0 (fixed in 9.0.30)

Related CVEs

CVE-2019-17563

Key Information

GHSA ID
GHSA-9xcj-c8cr-8c3c
Published
December 26, 2019 6:22 PM
Last Modified
October 7, 2022 8:34 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.apache.tomcat.embed:tomcat-embed-core
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 14, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.