Description
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Exploits (1)
References (22)
Core 22
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2008-0630.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/27365
Various Sources x_refsource_confirm
http://security-tracker.debian.net/tracker/CVE-2008-0128
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31493
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/29242
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/500412/100/0/threaded
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
Patch x_refsource_confirm
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/33668
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/500396/100/0/threaded
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28549
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/39804
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0192
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/0233
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2008/dsa-1468
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2008-0261.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28552
Various Sources x_refsource_confirm
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
Various Sources x_refsource_confirm
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Scores
EPSS
0.0386
EPSS Percentile
88.3%
Details
CWE
CWE-16
Status
published
Products (1)
apache/tomcat
< 5.5.20
Published
Jan 23, 2008
Tracked Since
Feb 18, 2026