CVE-2012-4529

medium

Description

The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.

References

https://issues.jboss.org/browse/JBWEB-249

http://rhn.redhat.com/errata/RHSA-2013-1437.html

http://rhn.redhat.com/errata/RHSA-2013-0839.html

http://rhn.redhat.com/errata/RHSA-2013-0834.html

http://rhn.redhat.com/errata/RHSA-2013-0833.html

http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request/

Details

Source: Mitre, NVD

Published: 2013-10-28

Updated: 2025-04-11

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00563