CVE-2007-3385
published 2007-08-14CVE-2007-3385: Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a…
PriorityP428medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
16.94%
96.7th percentile
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
Affected
87 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.example.com/examples/servlets/servlet/CookieExample?cookiename=test&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B↗
- →Detect HTTP requests containing a Cookie header with an embedded double-quote character inside a cookie value, which is the primary attack vector for session ID leakage. ↗
- →Detect HTTP requests containing %5C (URL-encoded backslash) sequences within cookie values, as these are used to bypass cookie parsing and leak session information. ↗
- →Detect the \" (backslash-double-quote) character sequence specifically within cookie values sent to Apache Tomcat, as this was the original CVE-2007-3385 attack pattern. ↗
- →Flag requests to Apache Tomcat servlet/cookie example endpoints (e.g., /examples/servlets/servlet/CookieExample) with crafted cookievalue parameters containing encoded backslash and quote sequences. ↗
- ·CVE-2007-5333 exists because the fix for CVE-2007-3385 was incomplete; patching to 5.5.25 or 6.0.15 is insufficient — versions up to 5.5.25 and 6.0.14 remain vulnerable to the bypass via %5C sequences. ↗
- ·The vulnerability is exploitable through the bundled servlet examples (e.g., CookieExample); severity is rated low partly because it is confined to example applications, but those examples should be removed from production deployments. ↗
- ·Affected version ranges span multiple major branches: Tomcat 3.3–3.3.2, 4.1.0–4.1.36, 5.0.0–5.0.30, 5.5.0–5.5.25, and 6.0.0–6.0.14; ensure detection/patching covers all deployed branches. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Improve cookie parsing for tomcat5
vendor_redhat·2008-02-11·CVSS 4.3
CVE-2007-5333 [MEDIUM] Improve cookie parsing for tomcat5
Improve cookie parsing for tomcat5
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5333
The Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw.
Red Hat
tomcat handling of cookie values
vendor_redhat·2007-08-14·CVSS 4.3
CVE-2007-3385 [MEDIUM] tomcat handling of cookie values
tomcat handling of cookie values
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
GHSA
Exposure of Sensitive Information in Apache Tomcat
ghsa·2022-05-01·CVSS 4.3
CVE-2007-5333 [MEDIUM] CWE-200 Exposure of Sensitive Information in Apache Tomcat
Exposure of Sensitive Information in Apache Tomcat
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
OSV
Exposure of Sensitive Information in Apache Tomcat
osv·2022-05-01·CVSS 4.3
CVE-2007-5333 [MEDIUM] Exposure of Sensitive Information in Apache Tomcat
Exposure of Sensitive Information in Apache Tomcat
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
OSV
Apache Tomcat Mishandles Character Sequence in Cookies
osv·2022-05-01
CVE-2007-3385 [MEDIUM] Apache Tomcat Mishandles Character Sequence in Cookies
Apache Tomcat Mishandles Character Sequence in Cookies
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the `\"` character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
GHSA
Apache Tomcat Mishandles Character Sequence in Cookies
ghsa·2022-05-01
CVE-2007-3385 [MEDIUM] CWE-200 Apache Tomcat Mishandles Character Sequence in Cookies
Apache Tomcat Mishandles Character Sequence in Cookies
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the `\"` character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
No detection rules found.
Bugzilla
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
bugzilla·2008-01-10·CVSS 4.3
CVE-2007-5333 [MEDIUM] CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
Discussion:
[root@rlx-3-18 RPMS]# ls tomcat5-5.0.30-0jpp_9rh.noarch.rpm
tomcat5-5.0.30-0jpp_9rh.noarch.rpm
[root@rlx-3-18 RPMS]# pwd
/tmp/mnt/RPMS
[root@rlx-3-18 RPMS]#
verified
---
This is not a bug. The real issue that was talked about is actually:
private bug Bugzilla Bug 430731: CVE-2007-5461 CVE-2007-3385 CVE-2007-3382
CVE-2007-1358 CVE-2007-1355 CVE-2007
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [Fdevel]
bugzilla·2007-08-24·CVSS 4.3
CVE-2007-3382 [MEDIUM] CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [Fdevel]
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [Fdevel]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This is already fixed in 5.5.25. Closing bug.
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [F7]
bugzilla·2007-08-24·CVSS 4.3
CVE-2007-3382 [MEDIUM] CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [F7]
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This is already fixed in 5.5.25. Closing bug.
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [FC6]
bugzilla·2007-08-24·CVSS 4.3
CVE-2007-3382 [MEDIUM] CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [FC6]
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Closing this bug, since FC-6 is now unsupported.
Bugzilla
CVE-2007-3385 tomcat handling of cookie values
bugzilla·2007-07-12·CVSS 4.3
CVE-2007-3385 [MEDIUM] CVE-2007-3385 tomcat handling of cookie values
CVE-2007-3385 tomcat handling of cookie values
VU#391448
Mark Thomas said:
I had slightly different results to Jean-Frederic.
6.0.x - fixed - http://svn.apache.org/viewvc?view=rev&rev=553410
5.5.x - affected
5.0.x - IAE in some cases
4.1.x - affected
3.3.x - affected
This is all in the examples, so severity is low.
Discussion:
now public, removing embargo
http://tomcat.apache.org/security-4.html
---
tomcat5-5.5.25-1jpp.1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
---
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
---
This issue has been addressed in following products:
Red Hat Certificate System 7.
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://secunia.com/advisories/26466http://secunia.com/advisories/26898http://secunia.com/advisories/27037http://secunia.com/advisories/27267http://secunia.com/advisories/27727http://secunia.com/advisories/28317http://secunia.com/advisories/28361http://secunia.com/advisories/29242http://secunia.com/advisories/30802http://secunia.com/advisories/33668http://secunia.com/advisories/36486http://secunia.com/advisories/44183http://securityreason.com/securityalert/3011http://securitytracker.com/id?1018557http://support.apple.com/kb/HT2163http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://tomcat.apache.org/security-6.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562http://www.debian.org/security/2008/dsa-1447http://www.debian.org/security/2008/dsa-1453http://www.kb.cert.org/vuls/id/993544http://www.mandriva.com/security/advisories?name=MDKSA-2007:241http://www.redhat.com/support/errata/RHSA-2007-0871.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0950.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0195.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/archive/1/476444/100/0/threadedhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/bid/25316http://www.vupen.com/english/advisories/2007/2902http://www.vupen.com/english/advisories/2007/3386http://www.vupen.com/english/advisories/2007/3527http://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.vupen.com/english/advisories/2009/0233https://exchange.xforce.ibmcloud.com/vulnerabilities/35999https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9549https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.htmlhttp://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://secunia.com/advisories/26466http://secunia.com/advisories/26898http://secunia.com/advisories/27037http://secunia.com/advisories/27267http://secunia.com/advisories/27727http://secunia.com/advisories/28317http://secunia.com/advisories/28361http://secunia.com/advisories/29242http://secunia.com/advisories/30802http://secunia.com/advisories/33668http://secunia.com/advisories/36486http://secunia.com/advisories/44183http://securityreason.com/securityalert/3011http://securitytracker.com/id?1018557http://support.apple.com/kb/HT2163http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://tomcat.apache.org/security-6.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562http://www.debian.org/security/2008/dsa-1447http://www.debian.org/security/2008/dsa-1453http://www.kb.cert.org/vuls/id/993544http://www.mandriva.com/security/advisories?name=MDKSA-2007:241http://www.redhat.com/support/errata/RHSA-2007-0871.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0950.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0195.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/archive/1/476444/100/0/threadedhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/bid/25316http://www.vupen.com/english/advisories/2007/2902http://www.vupen.com/english/advisories/2007/3386http://www.vupen.com/english/advisories/2007/3527http://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.vupen.com/english/advisories/2009/0233https://exchange.xforce.ibmcloud.com/vulnerabilities/35999https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
+ 2 more references
2007-08-14
Published