Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
References
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 02:01
Type | Values Removed | Values Added |
---|---|---|
Summary | Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. |
Information
Published : 2008-02-12 01:00
Updated : 2024-02-28 11:01
NVD link : CVE-2007-5333
Mitre link : CVE-2007-5333
CVE.ORG link : CVE-2007-5333
JSON object : View
Products Affected
apache
- tomcat
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor