Apache Tomcat from the Apache Software Foundation is a web container that implements both Java Servlets and JavaServer Pages.
Apache Tomcat from the Apache Software Foundation contains a vulnerability that could allow a remote attacker to coerce a crafted cookie to a user's web browser.
The developer reports that this issue exists because of an incomplete fix for CVE-2007-3385.
A remote attacker could send a crafted cookie to a user's web browser, which may result in session hijacking.
Update the Software
For Apache Tomcat 6.0.x or Apache Tomcat 5.5.x:
Update the software to the latest version according to the information released by the developer.
For Apache Tomcat 4.1.x:
As of February 8, 2008, the Apache Tomcat Project has not yet released the latest version resolving the vulnerability. They report that they will release Apache Tomcat 4.1.37 soon.
For more information, refer to the developer's website.
## Products Affected