CVE-2007-3385Sensitive Information Exposure in Apache Tomcat

CWE-200Sensitive Information Exposure13 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
81.4%
top 0.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedAug 14
Latest updateMay 1

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat84 versions+83

Patches

Patch: www.kb.cert.orgPatch: www.kb.cert.org

🔴Vulnerability Details

4
OSV
Apache Tomcat Mishandles Character Sequence in Cookies2022-05-01
GHSA
Apache Tomcat Mishandles Character Sequence in Cookies2022-05-01
GHSA
Exposure of Sensitive Information in Apache Tomcat2022-05-01
CVEList
CVE-2007-3385: Apache Tomcat 62007-08-14

💥Exploits & PoCs

1
Exploit-DB
Apache Tomcat 6.0.15 - Cookie Quote Handling Remote Information Disclosure2008-02-09

📋Vendor Advisories

2
Red Hat
Improve cookie parsing for tomcat52008-02-11
Red Hat
tomcat handling of cookie values2007-08-14

💬Community

5
Bugzilla
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]2008-01-10
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [Fdevel]2007-08-24
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [F7]2007-08-24
Bugzilla
CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 tomcat5 various flaws [FC6]2007-08-24
Bugzilla
CVE-2007-3385 tomcat handling of cookie values2007-07-12
CVE-2007-3385 — Sensitive Information Exposure | cvebase