CVE-2008-0128

medium

Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

References

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://exchange.xforce.ibmcloud.com/vulnerabilities/39804

http://www.vupen.com/english/advisories/2009/0233

http://www.vupen.com/english/advisories/2008/0192

http://www.securityfocus.com/bid/27365

http://www.securityfocus.com/archive/1/500412/100/0/threaded

http://www.securityfocus.com/archive/1/500396/100/0/threaded

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://www.debian.org/security/2008/dsa-1468

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

http://security-tracker.debian.net/tracker/CVE-2008-0128

http://secunia.com/advisories/33668

http://secunia.com/advisories/31493

http://secunia.com/advisories/29242

http://secunia.com/advisories/28552

http://secunia.com/advisories/28549

http://rhn.redhat.com/errata/RHSA-2008-0630.html

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

http://issues.apache.org/bugzilla/show_bug.cgi?id=41217

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

Details

Source: Mitre, NVD

Published: 2008-01-23

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium