CVE-2007-5333 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=6.0.0 <6.0.15 || >=5.5.0 <5.5.26 || >=4.1.0 <4.1.37

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.81599 pctl0.99141

Details

Exposure of Sensitive Information in Apache Tomcat Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.

Metadata

Created: 2022-05-01T18:32:19Z
Modified: 2025-04-09T15:23:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cww4-vj5r-rx57/GHSA-cww4-vj5r-rx57.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-cww4-vj5r-rx57
Finding: F017
Auto approve: 1