4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
68.0%
The org.apache.catalina.connector.Response.encodeURL method in Red Hat
JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends
the jsessionid in the URL of the first response of a session, which allows
remote attackers to obtain the session id (1) via a man-in-the-middle
attack or (2) by reading a log.
Author | Note |
---|---|
ebarretto | only builds a few libraries, not the full application server |