DescriptionThe SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
SUSE Security Advisories:
- SUSE-SR:2008:005, published Thu, 06 Mar 2008 13:00:00 +0000
- TID7006398, published Sat May 19 21:49:58 CEST 2018
SUSE Timeline for this CVECVE page created: Fri Jun 28 02:24:32 2013
CVE page last modified: Fri Dec 8 16:24:28 2023