CVE-2013-2067
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2013-2067 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This flaw allows an attacker to circumvent a session fixation prevention mechanism which was implemented in tomcat 5.5.x >= 5.5.29, 6.0.x >= 6.0.21 and 7.x. Earlier versions of tomcat do not include this mechanism, and are therefore not affected by this flaw. JBoss Web as included in JBoss 5.x products also does not include this mechanism, and is not affected by this flaw.
CVSS v2 metrics
| Base Score | 2.6 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Web Server 2.0 | RHSA-2013:1013 | 2013-07-03 |
| Red Hat JBoss Portal Platform 6.1 | RHSA-2013:1437 | 2013-10-16 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) | RHSA-2013:0834 | 2013-05-20 |
| Red Hat Enterprise Linux 6 (tomcat6) | RHSA-2013:0964 | 2013-06-20 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server | RHSA-2013:1011 | 2013-07-03 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server | RHSA-2013:1012 | 2013-07-03 |
| Red Hat JBoss Enterprise Application Platform 6.1 | RHSA-2013:0833 | 2013-05-20 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) | RHSA-2013:0839 | 2013-05-20 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Operations Network 3.1 | jbossweb | Not affected |
| Red Hat JBoss EWS 1 | tomcat6 | Will not fix |
| Red Hat JBoss EWS 1 | tomcat5 | Will not fix |
| Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
| Red Hat Enterprise Linux 5 | tomcat5 | Not affected |
CVE description copyright © 2017, The MITRE Corporation
