CVE-2008-0128 — Apache Tomcat vulnerability

CWE-169 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

3.9%

top 11.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedJan 23

Latest updateMay 1

Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat5.5.20

Patches

Patch: issues.apache.org ↗Patch: issues.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-qjw9-54p2-cgcx: The SingleSignOn Valve (org↗2022-05-01

▶

CVEList

CVE-2008-0128: The SingleSignOn Valve (org↗2008-01-23

▶

📋Vendor Advisories

Red Hat

tomcat5 SSO cookie login information disclosure↗2006-12-20

▶

💬Community

Bugzilla

CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]↗2008-01-23

▶

Bugzilla

CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.2]↗2008-01-23

▶

Bugzilla

CVE-2008-0128 tomcat5 SSO cookie login information disclosure↗2008-01-23

▶

Bugzilla

CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.0]↗2008-01-23

▶

Bugzilla

CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.1]↗2008-01-23

▶