CVE-2007-3385 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=6.0.0 <=6.0.13 || >=5.5.0 <=5.5.24 || >=5.0.0 <=5.0.30 || >=4.1.0 <=4.1.36 || >=3.3.0 <=3.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.69407 pctl0.98597

Details

Apache Tomcat Mishandles Character Sequence in Cookies Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the `\"` character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.

Metadata

Created: 2022-05-01T18:13:14Z
Modified: 2025-04-09T16:37:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6j8f-66vh-39mj/GHSA-6j8f-66vh-39mj.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-6j8f-66vh-39mj
Finding: F017
Auto approve: 1