PT-2007-7437 · Apache · Apache Tomcat

Published

2007-02-08

Updated

2019-03-25

CVE-2008-0128

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 5.5.21

Description The issue concerns the SingleSignOn Valve in Apache Tomcat, where the JSESSIONIDSSO cookie is not set with the secure flag during an https session. This can cause the cookie to be sent in http requests, making it easier for remote attackers to capture the cookie. Specifically, when using the SingleSignOn Valve via https, the JSESSIONIDSSO cookie is transmitted without the secure attribute, resulting in it being transmitted to any content requested via http from the same server.

Recommendations For versions prior to 5.5.21, update to version 5.5.21 or later to resolve the issue. As a temporary workaround, consider configuring the SingleSignOn Valve to set the secure flag for the JSESSIONIDSSO cookie to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-16

Related Identifiers

CVE-2008-0128

DSA-1468-1

RHSA-2008:0261

RHSA-2008:0524

RHSA-2008:0630

RHSA-2010:0602

Affected Products

Apache Tomcat

PT-2007-7437 · Apache · Apache Tomcat

CVE-2008-0128

Weakness Enumeration

Related Identifiers

Affected Products

References · 27