CVE-2007-3382
Vulnerability Summary
Timeline
Description
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.
CVSS Metrics
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 81.41%• Percentile: 99%
Techniques & Countermeasures
- CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Affected Systems
- Unknown•Tomcat
3.3 | 3.3.1 | 3.3.1a | 3.3.2 | 4.1.0 | 4.1.1 | 4.1.2 | 4.1.3 | 4.1.3:beta | 4.1.9:beta | 4.1.10 | 4.1.15 | 4.1.24 | 4.1.28 | 4.1.31 | 4.1.36 | 5.0.0 | 5.0.1 | 5.0.2 | 5.0.3 | 5.0.4 | 5.0.5 | 5.0.6 | 5.0.7 | 5.0.8 | 5.0.9 | 5.0.10 | 5.0.11 | 5.0.12 | 5.0.13 | 5.0.14 | 5.0.15 | 5.0.16 | 5.0.17 | 5.0.18 | 5.0.19 | 5.0.21 | 5.0.22 | 5.0.23 | 5.0.24 | 5.0.25 | 5.0.26 | 5.0.27 | 5.0.28 | 5.0.29 | 5.0.30 | 5.5.0 | 5.5.1 | 5.5.2 | 5.5.3 | 5.5.4 | 5.5.5 | 5.5.6 | 5.5.7 | 5.5.8 | 5.5.9 | 5.5.10 | 5.5.11 | 5.5.12 | 5.5.13 | 5.5.14 | 5.5.15 | 5.5.16 | 5.5.17 | 5.5.18 | 5.5.19 | 5.5.20 | 5.5.21 | 5.5.22 | 5.5.23 | 5.5.24 | 6.0.0 | 6.0.1 | 6.0.2 | 6.0.3 | 6.0.4 | 6.0.5 | 6.0.6 | 6.0.7 | 6.0.8 | 6.0.9 | 6.0.10 | 6.0.11 | 6.0.12 | 6.0.13
- org.apache.tomcat•tomcat
≥ 6.0.0, ≤ 6.0.13 | ≥ 5.5.0, ≤ 5.5.24 | ≥ 5.0.0, ≤ 5.0.30 | ≥ 4.1.0, ≤ 4.1.36 | ≥ 3.3.0, ≤ 3.3.2
References (50)
- http://www.debian.org/security/2008/dsa-1453
- http://www.redhat.com/support/errata/RHSA-2007-0950.html
- http://support.apple.com/kb/HT2163
- http://www.securityfocus.com/archive/1/476466/100/0/threaded
- http://www.vupen.com/english/advisories/2008/1981/references
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
- http://secunia.com/advisories/27267
- http://secunia.com/advisories/29242
- http://www.vupen.com/english/advisories/2007/3527
- http://securitytracker.com/id?1018556
- http://secunia.com/advisories/26466
- http://www.securityfocus.com/archive/1/500412/100/0/threaded
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
- http://secunia.com/advisories/33668
- http://www.vupen.com/english/advisories/2007/2902
- http://www.securityfocus.com/archive/1/500396/100/0/threaded
- http://secunia.com/advisories/26898
- http://secunia.com/advisories/28361
- http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
- http://secunia.com/advisories/28317
- http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
- http://www.vupen.com/english/advisories/2009/0233
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://tomcat.apache.org/security-6.html
- http://www.redhat.com/support/errata/RHSA-2007-0871.html
- http://www.vupen.com/english/advisories/2007/3386
- http://secunia.com/advisories/30802
- http://www.redhat.com/support/errata/RHSA-2008-0195.html
- http://secunia.com/advisories/27037
- http://www.securityfocus.com/bid/25316
- http://www.kb.cert.org/vuls/id/993544
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
- http://secunia.com/advisories/27727
- http://www.securityfocus.com/archive/1/476442/100/0/threaded
- http://www.redhat.com/support/errata/RHSA-2008-0261.html
- http://secunia.com/advisories/36486
- http://www.debian.org/security/2008/dsa-1447
- http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36006
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2007-3382
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E