CVE-2019-17563 - 漏洞详情

CVE-2019-17563 (CNNVD-201912-927)

HIGH

中文标题:

Apache Tomcat 授权问题漏洞

英文标题:

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7...

CVSS分数: 7.5

发布时间: 2019-12-23 16:39:01

漏洞类型: 授权问题

状态: PUBLISHED

数据质量分数: 0.30

数据版本: v3

漏洞描述

中文描述:

Apache Tomcat是美国阿帕奇（Apache）基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page（JSP）的支持。 Apache Tomcat 9.0.0.M1版本至9.0.29版本、8.5.0版本至8.5.49版本和7.0.0版本至7.0.98版本中存在授权问题漏洞。攻击者可借助FORM身份验证功能利用该漏洞访问其他用户的会话。

英文描述:

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

CWE类型:

CWE-384

受影响产品

厂商	产品	版本	版本范围	平台	CPE
Apache Software Foundation	Apache Tomcat	9.0.0.M1 to 9.0.29	-	-	`cpe:2.3:a:apache_software_foundation:apache_tomcat:9.0.0.m1_to_9.0.29:::::::*`
Apache Software Foundation	Apache Tomcat	8.5.0 to 8.5.49	-	-	`cpe:2.3:a:apache_software_foundation:apache_tomcat:8.5.0_to_8.5.49:::::::*`
Apache Software Foundation	Apache Tomcat	7.0.0 to 7.0.98	-	-	`cpe:2.3:a:apache_software_foundation:apache_tomcat:7.0.0_to_7.0.98:::::::*`
apache	tomcat	*	-	-	`cpe:2.3:a:apache:tomcat::::::::`
debian	debian_linux	8.0	-	-	`cpe:2.3:o:debian:debian_linux:8.0:::::::*`
debian	debian_linux	9.0	-	-	`cpe:2.3:o:debian:debian_linux:9.0:::::::*`
debian	debian_linux	10.0	-	-	`cpe:2.3:o:debian:debian_linux:10.0:::::::*`
opensuse	leap	15.1	-	-	`cpe:2.3:o:opensuse:leap:15.1:::::::*`
canonical	ubuntu_linux	16.04	-	-	`cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::`
oracle	agile_engineering_data_management	6.2.1.0	-	-	`cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*`
oracle	hyperion_infrastructure_technology	11.1.2.4	-	-	`cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:::::::*`
oracle	instantis_enterprisetrack	*	-	-	`cpe:2.3:a:oracle:instantis_enterprisetrack::::::::`
oracle	micros_relate_crm_software	11.4	-	-	`cpe:2.3:a:oracle:micros_relate_crm_software:11.4:::::::*`
oracle	mysql_enterprise_monitor	*	-	-	`cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::`
oracle	retail_order_broker	15.0	-	-	`cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*`
oracle	transportation_management	6.3.7	-	-	`cpe:2.3:a:oracle:transportation_management:6.3.7:::::::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

DSA-4596 vendor-advisory
cve.org

访问

20191229 [SECURITY] [DSA 4596-1] tomcat8 security update mailing-list
cve.org

访问

openSUSE-SU-2020:0038 vendor-advisory
cve.org

访问

[debian-lts-announce] 20200127 [SECURITY] [DLA 2077-1] tomcat7 security update mailing-list
cve.org

访问

USN-4251-1 vendor-advisory
cve.org

访问

[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/ mailing-list
cve.org

访问

[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/ mailing-list
cve.org

访问

[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/ mailing-list
cve.org

访问

[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/ mailing-list
cve.org

访问

[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/ mailing-list
cve.org

访问

GLSA-202003-43 vendor-advisory
cve.org

访问

DSA-4680 vendor-advisory
cve.org

访问

[debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update mailing-list
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

[cxf-issues] 20200618 [jira] [Created] (FEDIZ-249) Relying party rejects a valid security token and redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56 mailing-list
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

CVSS评分详情

7.5

HIGH

CVSS向量: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS版本: 3.1

机密性

HIGH

完整性

HIGH

可用性

HIGH

时间信息

发布时间:

2019-12-23 16:39:01

修改时间:

2024-08-05 01:40:15

创建时间:

2025-11-11 15:35:39

更新时间:

2025-11-11 15:55:19

利用信息

暂无可利用代码信息

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2019-17563`	2025-11-11 15:20:05	2025-11-11 07:35:39
NVD	`nvd_CVE-2019-17563`	2025-11-11 14:56:30	2025-11-11 07:44:10
CNNVD	`cnnvd_CNNVD-201912-927`	2025-11-11 15:10:20	2025-11-11 07:55:19

版本与语言

当前版本: v3

主要语言: EN

支持语言:

EN ZH

安全公告

暂无安全公告信息

变更历史

v3 CNNVD

2025-11-11 15:55:19

vulnerability_type: 未提取 → 授权问题; cnnvd_id: 未提取 → CNNVD-201912-927; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 授权问题
cnnvd_id: 未提取 -> CNNVD-201912-927
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:44:10

severity: SeverityLevel.MEDIUM → SeverityLevel.HIGH; cvss_score: 未提取 → 7.5; cvss_vector: NOT_EXTRACTED → CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H; cvss_version: NOT_EXTRACTED → 3.1; affected_products_count: 3 → 16; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
cvss_score: 未提取 -> 7.5
cvss_vector: NOT_EXTRACTED -> CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss_version: NOT_EXTRACTED -> 3.1
affected_products_count: 3 -> 16
data_sources: ['cve'] -> ['cve', 'nvd']

CVE-2019-17563 (CNNVD-201912-927)

中文标题:

Apache Tomcat 授权问题漏洞

英文标题:

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7...

漏洞描述

中文描述:

英文描述:

CWE类型:

标签:

受影响产品

解决方案

中文解决方案:

英文解决方案:

临时解决方案:

参考链接

CVSS评分详情

时间信息

利用信息

数据源详情

版本与语言

安全公告

变更历史