CVE-2015-5351 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=0 <7.0.68 || >=8.0.0 <8.0.31 || >=9.0.0.m0 <9.0.0.m2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.06311 pctl0.90581

Details

Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by using a token The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

Metadata

Created: 2022-05-14T03:13:01Z
Modified: 2023-12-08T22:36:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w7cg-5969-678w/GHSA-w7cg-5969-678w.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-w7cg-5969-678w
Finding: F007
Auto approve: 1