CVE-2007-3382

MEDIUM

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

References

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

http://secunia.com/advisories/26466

http://secunia.com/advisories/26898

http://secunia.com/advisories/27037

http://secunia.com/advisories/27267

http://secunia.com/advisories/27727

http://secunia.com/advisories/28317

http://secunia.com/advisories/28361

http://secunia.com/advisories/29242

http://secunia.com/advisories/30802

http://secunia.com/advisories/33668

http://secunia.com/advisories/36486

http://securitytracker.com/id?1018556

http://support.apple.com/kb/HT2163

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

http://tomcat.apache.org/security-6.html

http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562

http://www.debian.org/security/2008/dsa-1447

http://www.debian.org/security/2008/dsa-1453

http://www.kb.cert.org/vuls/id/993544

http://www.mandriva.com/security/advisories?name=MDKSA-2007:241

http://www.redhat.com/support/errata/RHSA-2007-0871.html

http://www.redhat.com/support/errata/RHSA-2007-0950.html

http://www.redhat.com/support/errata/RHSA-2008-0195.html

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://www.securityfocus.com/archive/1/476442/100/0/threaded

http://www.securityfocus.com/archive/1/476466/100/0/threaded

http://www.securityfocus.com/archive/1/500396/100/0/threaded

http://www.securityfocus.com/archive/1/500412/100/0/threaded

http://www.securityfocus.com/bid/25316

http://www.vupen.com/english/advisories/2007/2902

http://www.vupen.com/english/advisories/2007/3386

http://www.vupen.com/english/advisories/2007/3527

http://www.vupen.com/english/advisories/2008/1981/references

http://www.vupen.com/english/advisories/2009/0233

https://exchange.xforce.ibmcloud.com/vulnerabilities/36006

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html

Details

Source: MITRE

Published: 2007-08-14

Updated: 2019-03-25

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM