CVE-2008-0128
published 2008-01-23CVE-2008-0128: The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO…
PriorityP432medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
19.62%
97.0th percentile
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | <= 5.5.20 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
tomcat5 SSO cookie login information disclosure
vendor_redhat·2006-12-20·CVSS 5.0
CVE-2008-0128 [MEDIUM] tomcat5 SSO cookie login information disclosure
tomcat5 SSO cookie login information disclosure
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
GHSA
GHSA-qjw9-54p2-cgcx: The SingleSignOn Valve (org
ghsa_unreviewed·2022-05-01
CVE-2008-0128 [MEDIUM] GHSA-qjw9-54p2-cgcx: The SingleSignOn Valve (org
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
bugzilla·2008-01-23·CVSS 5.0
CVE-2008-0128 [MEDIUM] CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
Discussion:
The fix is something like http://svn.apache.org/viewvc?view=rev&revision=500626
---
> [16:02] msuchy, pong
> [16:03] fnasser_inmtg: can you apply this patch
https://bugzilla.redhat.com/show_bug.cgi?id=429835#c2 to tomcat5 and rebuild it?
> [16:04] fnasser_inmtg: I need to import to RHN Satellite
> [16:06] msuchy, Sure, but please send it
Bugzilla
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.2]
bugzilla·2008-01-23·CVSS 5.0
CVE-2008-0128 [MEDIUM] CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.2]
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.2]
rhn_satellite_4.2 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
Discussion:
Promoted tomcat5-5.0.30-0jpp_10rh.noarch.rpm from support-satellite-5.0-4AS-java
collection, where we fixed it.
---
QA push for 4.2.3 complete: satellite-4.2.3-1 and proxy-4.2.3-1 are
now on webqa. Note that there is _no_ ISO planned for the 4.2.3
release.
Developers, please move your bugs ON_QA.
---
verified
tomcat5-5.0.30-0jpp_10rh.
Bugzilla
CVE-2008-0128 tomcat5 SSO cookie login information disclosure
bugzilla·2008-01-23·CVSS 5.0
CVE-2008-0128 [MEDIUM] CVE-2008-0128 tomcat5 SSO cookie login information disclosure
CVE-2008-0128 tomcat5 SSO cookie login information disclosure
Description of problem:
from [http://issues.apache.org/bugzilla/show_bug.cgi?id=41217]
"""When using the SingleSignOn Valve
(org.apache.catalina.authenticator.SingleSignOn) via https the Cookie
JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it
being transmitted to any content that is - by purpose or error - requested via
http from the same server.
As the content of the SSO-Cookie is confidential (it will lead to automatically
logged in sessions in other contexts - https or non-https) this should never
happen. """
Also according to the asf bz the upstream versions before 5.5.21 are vulnerable.
Discussion:
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RH
Bugzilla
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.0]
bugzilla·2008-01-23·CVSS 5.0
CVE-2008-0128 [MEDIUM] CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.0]
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.0]
rhn_satellite_4.0 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
Bugzilla
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.1]
bugzilla·2008-01-23·CVSS 5.0
CVE-2008-0128 [MEDIUM] CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.1]
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_4.1]
rhn_satellite_4.1 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://issues.apache.org/bugzilla/show_bug.cgi?id=41217http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2008-0630.htmlhttp://secunia.com/advisories/28549http://secunia.com/advisories/28552http://secunia.com/advisories/29242http://secunia.com/advisories/31493http://secunia.com/advisories/33668http://security-tracker.debian.net/tracker/CVE-2008-0128http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://www.debian.org/security/2008/dsa-1468http://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/bid/27365http://www.vupen.com/english/advisories/2008/0192http://www.vupen.com/english/advisories/2009/0233https://exchange.xforce.ibmcloud.com/vulnerabilities/39804https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttp://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://issues.apache.org/bugzilla/show_bug.cgi?id=41217http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2008-0630.htmlhttp://secunia.com/advisories/28549http://secunia.com/advisories/28552http://secunia.com/advisories/29242http://secunia.com/advisories/31493http://secunia.com/advisories/33668http://security-tracker.debian.net/tracker/CVE-2008-0128http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://www.debian.org/security/2008/dsa-1468http://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/bid/27365http://www.vupen.com/english/advisories/2008/0192http://www.vupen.com/english/advisories/2009/0233https://exchange.xforce.ibmcloud.com/vulnerabilities/39804https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
2008-01-23
Published