Fixed in Apache Tomcat 5.5.21

Moderate: Session hi-jacking CVE-2008-0128

When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the “secure” attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server.

Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20

Low: Information disclosure CVE-2008-4308

Bug 40771 may result in the disclosure of POSTed content from a previous request. For a vulnerability to exist, the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the ArrayIndexOutOfBoundsException occurs which will halt processing of the request.

Affects: 5.5.10-5.5.20 (5.0.x unknown)