CVE-2007-5333

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.1.0 through 4.1.36 Apache Tomcat versions 5.5.0 through 5.5.25 Apache Tomcat versions 6.0.0 through 6.0.14

Description The issue arises from improper handling of double quote (") characters or %5C (encoded backslash) sequences in a cookie value. This might cause sensitive information, such as session IDs, to be leaked to remote attackers, enabling session hijacking attacks. The problem exists due to an incomplete fix for a previous issue.

Recommendations For Apache Tomcat versions 4.1.0 through 4.1.36, update to a version that properly handles double quote characters and %5C sequences in cookie values. For Apache Tomcat versions 5.5.0 through 5.5.25, update to a version that properly handles double quote characters and %5C sequences in cookie values. For Apache Tomcat versions 6.0.0 through 6.0.14, update to a version that properly handles double quote characters and %5C sequences in cookie values. As a temporary workaround, consider restricting the use of quotes or %5C within cookie values to minimize the risk of exploitation.