cbcvebase.
CVE-2007-5333
published 2008-02-12

CVE-2007-5333: Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded…

PriorityP343medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
62.58%
99.1th percentile
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.

Affected

8 ranges
VendorProductVersion rangeFixed in
apachetomcat4.1.0 – 4.1.36
apachetomcat5.5.0 – 5.5.25
apachetomcat6.0.0 – 6.0.14
vmwareesxi
vmwarevmware_tools
vmwarevmware_vcenter_server
vmwarevmware_vsphere
vmwarevmware_workstation

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/examples/servlets/servlet/CookieExample?cookiename=test&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B
  • Detect HTTP requests containing cookie values with double-quote characters (") or encoded backslash sequences (%5C) that may be used to manipulate cookie parsing and leak session IDs.
  • Inspect HTTP Cookie headers for malformed quoted values (e.g., unbalanced or embedded double quotes within cookie value fields) as an indicator of exploitation attempts against CVE-2007-5333.
  • Monitor requests to Apache Tomcat servlet/cookie example endpoints (e.g., /examples/servlets/servlet/CookieExample) with URL-encoded backslash (%5C) and double-quote (%22) sequences in query parameters, which are characteristic of this exploit.
  • ·Affected versions span Apache Tomcat 4.1.0–4.1.36, 5.5.0–5.5.25, and 6.0.0–6.0.14; this vulnerability is an incomplete fix for CVE-2007-3385, so environments patched only for that prior CVE remain vulnerable.
  • ·This issue exists because of an incomplete fix for CVE-2007-3385; systems believed to be remediated via that earlier fix should be re-evaluated.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.