Strix
26.1K

CVE-2013-6357

UnknownEPSS 2.54%

Last modified

CVE-2013-6357 is a vulnerability of currently unknown severity. Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... EPSS estimates a 2.54% chance of exploitation in the next 30 days.

Description

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.

Metrics

EPSS Probability
2.54%

82.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
ApacheTomcat<= 5.5.25
ApacheTomcat1.1.3
ApacheTomcat3.0
ApacheTomcat3.1
ApacheTomcat3.1.1
ApacheTomcat3.2
ApacheTomcat3.2.1
ApacheTomcat3.2.2
ApacheTomcat3.2.3
ApacheTomcat3.2.4
ApacheTomcat3.3
ApacheTomcat3.3.1
ApacheTomcat3.3.1a
ApacheTomcat3.3.2
ApacheTomcat4
ApacheTomcat4.0.0
ApacheTomcat4.0.1
ApacheTomcat4.0.2
ApacheTomcat4.0.3
ApacheTomcat4.0.4
ApacheTomcat4.0.5
ApacheTomcat4.0.6
ApacheTomcat4.1.0
ApacheTomcat4.1.1
ApacheTomcat4.1.2
ApacheTomcat4.1.3
ApacheTomcat4.1.9Beta
ApacheTomcat4.1.10
ApacheTomcat4.1.12
ApacheTomcat4.1.15
ApacheTomcat4.1.24
ApacheTomcat4.1.28
ApacheTomcat4.1.29
ApacheTomcat4.1.31
ApacheTomcat4.1.36
ApacheTomcat5
ApacheTomcat5.0.0
ApacheTomcat5.0.1
ApacheTomcat5.0.2
ApacheTomcat5.0.3
ApacheTomcat5.0.4
ApacheTomcat5.0.5
ApacheTomcat5.0.6
ApacheTomcat5.0.7
ApacheTomcat5.0.8
ApacheTomcat5.0.9
ApacheTomcat5.0.10
ApacheTomcat5.0.11
ApacheTomcat5.0.12
ApacheTomcat5.0.13

Showing 50 of 91 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2013-6357?
Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.
How severe is CVE-2013-6357?
Severity scoring for CVE-2013-6357 is pending analysis. The EPSS model estimates a 2.54% probability of exploitation in the next 30 days.
How do I fix CVE-2013-6357?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2013-6357?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST