CVE-2012-4529

Name of the Vulnerable Software and Affected Versions Red Hat JBoss Web versions 7.1.x and earlier

Description The issue concerns the org.apache.catalina.connector.Response.encodeURL method. When the tracking mode is set to COOKIE, it sends the jsessionid in the URL of the first response of a session. This allows remote attackers to obtain the session id either via a man-in-the-middle attack or by reading a log.

Recommendations For Red Hat JBoss Web versions 7.1.x and earlier, consider configuring the tracking mode to avoid sending the jsessionid in the URL, or apply alternative security measures to protect session ids from being obtained by unauthorized parties. At the moment, there is no information about a newer version that contains a fix for this vulnerability.