CVE-2007-3382 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=6.0.0 <=6.0.13 || >=5.5.0 <=5.5.24 || >=5.0.0 <=5.0.30 || >=4.1.0 <=4.1.36 || >=3.3.0 <=3.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.86383 pctl0.99368

Details

Apache Tomcat treats single quotes as delimiters in cookies Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes (`'`) as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

Metadata

Created: 2022-05-01T18:13:14Z
Modified: 2023-09-22T21:05:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qff8-g48j-pwpw/GHSA-qff8-g48j-pwpw.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-qff8-g48j-pwpw
Finding: F308
Auto approve: 1