CVE-2007-3382

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

References

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://exchange.xforce.ibmcloud.com/vulnerabilities/36006

http://www.vupen.com/english/advisories/2009/0233

http://www.vupen.com/english/advisories/2008/1981/references

http://www.vupen.com/english/advisories/2007/3527

http://www.vupen.com/english/advisories/2007/3386

http://www.vupen.com/english/advisories/2007/2902

http://www.securityfocus.com/bid/25316

http://www.securityfocus.com/archive/1/500412/100/0/threaded

http://www.securityfocus.com/archive/1/500396/100/0/threaded

http://www.securityfocus.com/archive/1/476466/100/0/threaded

http://www.securityfocus.com/archive/1/476442/100/0/threaded

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://www.redhat.com/support/errata/RHSA-2008-0195.html

http://www.redhat.com/support/errata/RHSA-2007-0950.html

http://www.redhat.com/support/errata/RHSA-2007-0871.html

http://www.mandriva.com/security/advisories?name=MDKSA-2007:241

http://www.kb.cert.org/vuls/id/993544

http://www.debian.org/security/2008/dsa-1453

http://www.debian.org/security/2008/dsa-1447

http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562

http://tomcat.apache.org/security-6.html

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

http://support.apple.com/kb/HT2163

http://securitytracker.com/id?1018556

http://secunia.com/advisories/36486

http://secunia.com/advisories/33668

http://secunia.com/advisories/30802

http://secunia.com/advisories/29242

http://secunia.com/advisories/28361

http://secunia.com/advisories/28317

http://secunia.com/advisories/27727

http://secunia.com/advisories/27267

http://secunia.com/advisories/27037

http://secunia.com/advisories/26898

http://secunia.com/advisories/26466

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3