Japan Vulnerability NotesJVN:09470767JVN#09470767 Apache Tomcat fails to properly handle cookie value
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.106 Low
EPSS
Percentile
94.9%
Apache Tomcat from the Apache Software Foundation is a web container that implements both Java Servlets and JavaServer Pages.
Apache Tomcat from the Apache Software Foundation contains a vulnerability that could allow a remote attacker to coerce a crafted cookie to a userβs web browser.
The developer reports that this issue exists because of an incomplete fix for CVE-2007-3385.
Impact
A remote attacker could send a crafted cookie to a userβs web browser, which may result in session hijacking.
Solution
Update the Software
For Apache Tomcat 6.0.x or Apache Tomcat 5.5.x:
Update the software to the latest version according to the information released by the developer.
For Apache Tomcat 4.1.x:
As of February 8, 2008, the Apache Tomcat Project has not yet released the latest version resolving the vulnerability. They report that they will release Apache Tomcat 4.1.37 soon.
For more information, refer to the developerβs website.
Products Affected
- Apache Tomcat 4.1.0 through 4.1.36
- Apache Tomcat 5.5.0 through 5.5.25
- Apache Tomcat 6.0.0 through 6.0.14
For more information, refer to the developerβs website.
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.106 Low
EPSS
Percentile
94.9%