5

CVE-2008-0128

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version <= 5.5.20
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 19.62% 0.97
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
http://secunia.com/advisories/29242
http://secunia.com/advisories/33668
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
http://www.securityfocus.com/archive/1/500396/100/0/threaded
http://www.securityfocus.com/archive/1/500412/100/0/threaded
http://www.vupen.com/english/advisories/2009/0233
http://rhn.redhat.com/errata/RHSA-2008-0630.html
http://secunia.com/advisories/31493
http://secunia.com/advisories/28549
Vendor Advisory
http://www.debian.org/security/2008/dsa-1468
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
Patch
http://secunia.com/advisories/28552
Vendor Advisory
http://security-tracker.debian.net/tracker/CVE-2008-0128
http://www.securityfocus.com/bid/27365
http://www.vupen.com/english/advisories/2008/0192
https://exchange.xforce.ibmcloud.com/vulnerabilities/39804