Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

http://issues.apache.org/bugzilla/show_bug.cgi?id=41217

http://security-tracker.debian.net/tracker/CVE-2008-0128

http://www.debian.org/security/2008/dsa-1468

http://www.securityfocus.com/bid/27365

http://secunia.com/advisories/28549

http://secunia.com/advisories/28552

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

http://secunia.com/advisories/29242

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://rhn.redhat.com/errata/RHSA-2008-0630.html

http://secunia.com/advisories/31493

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

http://secunia.com/advisories/33668

http://www.vupen.com/english/advisories/2009/0233

http://www.vupen.com/english/advisories/2008/0192

https://exchange.xforce.ibmcloud.com/vulnerabilities/39804

http://www.securityfocus.com/archive/1/500412/100/0/threaded

http://www.securityfocus.com/archive/1/500396/100/0/threaded

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2023-31101 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2011-2204 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-13949 Vulnerability in maven package org.apache.thrift:libthrift

CVE-2017-12647 Vulnerability in maven package com.liferay:com.liferay.knowledge.base.service

CVE-2015-8851 Vulnerability in maven package org.webjars.npm:node-uuid

Severity

Critical

Classification

CWE-16

Tags

Patch Vendor Advisory