CVE-2007-3382

Apache Tomcat - Information Disclosure

Title source: rule

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Tomasz Kuczynski · textremotemultiple

https://www.exploit-db.com/exploits/30496

View Code ZIP pw:eip

References (46)

[Vendor Advisory] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

[Vendor Advisory] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554

[Mailing List] http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

[Vendor Advisory] http://support.apple.com/kb/HT2163

[Patch] http://tomcat.apache.org/security-6.html

[Patch, US Government Resource] http://www.kb.cert.org/vuls/id/993544

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDKSA-2007:241

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2007-0871.html

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2007-0950.html

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2008-0195.html

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2008-0261.html

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/36006

[Mailing List] https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html

[Various Sources] http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

... and 26 more

Scores

EPSS 0.8391

EPSS Percentile 99.3%

Details

CWE

CWE-200

Status published

Products (49)

apache/tomcat 3.3

apache/tomcat 3.3.1

apache/tomcat 3.3.1a

apache/tomcat 3.3.2

apache/tomcat 4.1.0

apache/tomcat 4.1.1

apache/tomcat 4.1.2

apache/tomcat 4.1.3 (2 CPE variants)

apache/tomcat 4.1.9 beta

apache/tomcat 4.1.10

... and 39 more

Published Aug 14, 2007

Tracked Since Feb 18, 2026