CVE-2015-5351: Cross-Site Request Forgery (CSRF)

May 14, 2022 (updated December 8, 2023)

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

References

github.com/advisories/GHSA-w7cg-5969-678w
nvd.nist.gov/vuln/detail/CVE-2015-5351

Detect and mitigate CVE-2015-5351 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →