-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2007-3385: Handling of \" in cookies
Severity: Low (Session Hi-jacking)
Vendor: The Apache Software Foundation
Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 5.0.0 to 5.0.30 4.1.0 to 4.1.36 3.3 to 3.3.2
Description: Tomcat incorrectly handles the character sequence \" in a cookie value. In some circumstances this can lead to the leaking of information such as session ID to an attacker.
Mitigation: Upgrade to 6.0.14
Credit: This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing and Networking Center, who worked with the CERT/CC to report the vulnerability.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwSFlb7IeiTPGAkMRArdPAJ99AXYzSterU7oG+u8UrtQAd2lTZwCbBK2R hwRixKaYOwWyj5kD+fLT1ls= =hgTP -----END PGP SIGNATURE-----