CVE-2007-3382

medium

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

References

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

http://secunia.com/advisories/26466

http://secunia.com/advisories/26898

http://secunia.com/advisories/27037

http://secunia.com/advisories/27267

http://secunia.com/advisories/27727

http://secunia.com/advisories/28317

http://secunia.com/advisories/28361

http://secunia.com/advisories/29242

http://secunia.com/advisories/30802

http://secunia.com/advisories/33668

http://secunia.com/advisories/36486

http://securitytracker.com/id?1018556

https://exchange.xforce.ibmcloud.com/vulnerabilities/36006

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269

http://support.apple.com/kb/HT2163

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html

http://tomcat.apache.org/security-6.html

http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562

http://www.debian.org/security/2008/dsa-1447

http://www.debian.org/security/2008/dsa-1453

http://www.kb.cert.org/vuls/id/993544

http://www.mandriva.com/security/advisories?name=MDKSA-2007:241

http://www.redhat.com/support/errata/RHSA-2007-0871.html

http://www.redhat.com/support/errata/RHSA-2007-0950.html

http://www.redhat.com/support/errata/RHSA-2008-0195.html

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://www.vupen.com/english/advisories/2007/2902

http://www.vupen.com/english/advisories/2007/3386

http://www.vupen.com/english/advisories/2007/3527

http://www.vupen.com/english/advisories/2008/1981/references

http://www.vupen.com/english/advisories/2009/0233

Details

Published: 2007-08-14

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium