When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0
to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker
could perform a session fixation attack. The window was considered too
narrow for an exploit to be practical but, erring on the side of caution,
this issue has been treated as a security vulnerability.
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is
configured with the JMX Remote Lifecycle Listener, a local attacker without
access to the Tomcat process or configuration files is able to manipulate
the RMI registry to perform a man-in-the-middle attack to capture user names
and passwords used to access the JMX interface. The attacker can then use
these credentials to access the JMX interface and gain complete control over
the Tomcat instance.