Primary

Context

Apache Tomcat Session Fixation Vulnerability via Rewrite Valve

Vulnerability

Patched

A session fixation vulnerability has been identified in Apache Tomcat versions 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105. Older, end-of-life versions may also be affected. When the rewrite valve was enabled for a web application, an attacker could craft a URL that, if clicked by a victim, would result in the victim's session being hijacked and their interactions with the resource being conducted under the attacker's session.

Impact

Exploitation of this vulnerability allows for session fixation, where an attacker can hijack a user's session and interact with resources on their behalf.

Remediation

Users are advised to upgrade to Apache Tomcat 11.0.8, 10.1.42, or 9.0.106.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

1.3

exploitability

6.5

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

1.3

exploitability

6.5

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Session Fixation Vulnerability via Rewrite Valve

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating