cbcvebase.
CVE-2007-3385
published 2007-08-14

CVE-2007-3385: Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a…

PriorityP428medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
16.94%
96.7th percentile
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.

Affected

87 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

cookiename="val " ue"
urlhttp://www.example.com/examples/servlets/servlet/CookieExample?cookiename=test&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B
  • Detect HTTP requests containing a Cookie header with an embedded double-quote character inside a cookie value, which is the primary attack vector for session ID leakage.
  • Detect HTTP requests containing %5C (URL-encoded backslash) sequences within cookie values, as these are used to bypass cookie parsing and leak session information.
  • Detect the \" (backslash-double-quote) character sequence specifically within cookie values sent to Apache Tomcat, as this was the original CVE-2007-3385 attack pattern.
  • Flag requests to Apache Tomcat servlet/cookie example endpoints (e.g., /examples/servlets/servlet/CookieExample) with crafted cookievalue parameters containing encoded backslash and quote sequences.
  • ·CVE-2007-5333 exists because the fix for CVE-2007-3385 was incomplete; patching to 5.5.25 or 6.0.15 is insufficient — versions up to 5.5.25 and 6.0.14 remain vulnerable to the bypass via %5C sequences.
  • ·The vulnerability is exploitable through the bundled servlet examples (e.g., CookieExample); severity is rated low partly because it is confined to example applications, but those examples should be removed from production deployments.
  • ·Affected version ranges span multiple major branches: Tomcat 3.3–3.3.2, 4.1.0–4.1.36, 5.0.0–5.0.30, 5.5.0–5.5.25, and 6.0.0–6.0.14; ensure detection/patching covers all deployed branches.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.