CVE-2008-0128

Apache Tomcat <5.5.21 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0128. PoCs published by ngyanch.

AI-analyzed exploit summary The repository contains a minimal Java project with a basic 'Hello World' example and Travis CI integration for Black Duck CoPilot, but no exploit code or technical details related to CVE-2008-0128.

Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Exploits (1)

nomisec STUB

by ngyanch · poc

https://github.com/ngyanch/4062-1

View Code ZIP pw:eip

The repository contains a minimal Java project with a basic 'Hello World' example and Travis CI integration for Black Duck CoPilot, but no exploit code or technical details related to CVE-2008-0128.

Classification

Stub 95%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: N/A

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (22)

Core 22

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2008-0630.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/27365

Various Sources x_refsource_confirm

http://security-tracker.debian.net/tracker/CVE-2008-0128

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31493

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29242

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/500412/100/0/threaded

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

Patch x_refsource_confirm

http://issues.apache.org/bugzilla/show_bug.cgi?id=41217

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33668

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/500396/100/0/threaded

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/28549

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/39804

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/0192

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0233

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2008/dsa-1468

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2008-0261.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/28552

Various Sources x_refsource_confirm

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

Various Sources x_refsource_confirm

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Scores

EPSS 0.1962

EPSS Percentile 97.0%

Details

CWE

CWE-16

Status published

Products (1)

apache/tomcat < 5.5.20

Published Jan 23, 2008

Tracked Since Feb 18, 2026