Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-3382Sensitive Information Exposure in Apache Tomcat

CWE-200Sensitive Information Exposure11 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
83.9%
top 0.70%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Tomcat
Timeline
PublishedAug 14
Latest updateMay 1

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat84 versions+83

Patches

Patch: tomcat.apache.orgPatch: www.kb.cert.orgPatch: tomcat.apache.org

🔴Vulnerability Details

3
OSV
Apache Tomcat treats single quotes as delimiters in cookies2022-05-01
GHSA
Apache Tomcat treats single quotes as delimiters in cookies2022-05-01
CVEList
CVE-2007-3382: Apache Tomcat 62007-08-14

💥Exploits & PoCs

1
Exploit-DB
Apache Tomcat 6.0.13 - Insecure Cookie Handling Quote Delimiter Session ID Disclosure2007-08-14

📋Vendor Advisories

1
Red Hat
tomcat handling of cookies2007-08-14

💬Community

5
Bugzilla
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]2008-01-10
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [Fdevel]2007-08-24
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [F7]2007-08-24
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [FC6]2007-08-24
Bugzilla
CVE-2007-3382 tomcat handling of cookies2007-07-12
CVE-2007-3382 — Sensitive Information Exposure | cvebase