DescriptionApache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
SUSE Security Advisories:
- SUSE-SR:2009:004, published Tue, 17 Feb 2009 10:00:00 +0000
- TID7006398, published Sat May 19 21:49:58 CEST 2018
SUSE Timeline for this CVECVE page created: Tue Jul 9 16:15:07 2013
CVE page last modified: Mon Feb 13 11:22:50 2023