CVE-2014-0033 — org/apache/catalina/connector/CoyoteAdapter
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
Published
2014-02-26T11:00:00.000Z
Last modified
2024-08-06T08:58:26.560Z
01What is this vulnerability?
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
02Affected products
| Vendor | Product | Versions |
|---|
| n | a / n/a | n/a |
03Active exploitation status
Not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. EPSS is the best forward-looking signal — see the EPSS row above.
04Recommended remediation
- Patch to a fixed version listed in the vendor advisory (see references below).
- Mitigate with WAF rules, network egress filters, or feature flags where the patch is not yet available.
- Hunt historical logs for exploitation indicators — see Detection signatures below.
05Technical details
For the full vendor write-up, exploit chains, and reference implementations, see the references list in section 09.
06Detection signatures
Open the Sigma generator with a pre-filled prompt for this CVE to draft a starting detection in your stack of choice:
Open in Sigma generator →
07Related CVEs
No directly-cited follow-up CVEs in the KB record for this advisory. The references list in section 09 carries the vendor cross-references.
08Timeline
- Published: 2014-02-26T11:00:00.000Z
- Last modified: 2024-08-06T08:58:26.560Z
09References
- bugzilla.redhat.com — https://bugzilla.redhat.com/show_bug.cgi?id=1069919
- svn.apache.org — http://svn.apache.org/viewvc?view=revision&revision=1558822
- www.vmware.com — http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- www.securityfocus.com — http://www.securityfocus.com/bid/65769
- www.debian.org — http://www.debian.org/security/2016/dsa-3530
- www.securityfocus.com — http://www.securityfocus.com/archive/1/534161/100/0/threaded
- www-01.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21677147
- www-01.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21678231
- secunia.com — http://secunia.com/advisories/59722
- tomcat.apache.org — http://tomcat.apache.org/security-6.html
- www.oracle.com — http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- www.ubuntu.com — http://www.ubuntu.com/usn/USN-2130-1
- secunia.com — http://secunia.com/advisories/59873
- seclists.org — http://seclists.org/fulldisclosure/2014/Dec/23
- www.oracle.com — http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
- www-01.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21675886
- secunia.com — http://secunia.com/advisories/59036
- lists.apache.org — https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85…
- lists.apache.org — https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3…
- lists.apache.org — https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbea…
- lists.apache.org — https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9…
- lists.apache.org — https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe5…
- lists.apache.org — https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc0…
Want this in your SOAR or SIEM?
SARA's API returns EPSS, CVSS, KEV, and an analyst-grade summary in one call.
Read the API reference →