CVE-2010-4312Sensitive Cookie Without 'HttpOnly' Flag in Apache Tomcat

CWE-16CWE-1004Sensitive Cookie Without 'HttpOnly' Flag6 documents6 sources
Severity
6.4MEDIUMNVD
EPSS
1.7%
top 17.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedNov 26
Latest updateMay 14

Description

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

CVSS vector

AV:N/AC:L/C:N/I:P/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

NVDapache/tomcat27 versions+26

🔴Vulnerability Details

3
OSV
Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header2022-05-14
GHSA
Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header2022-05-14
CVEList
CVE-2010-4312: The default configuration of Apache Tomcat 62010-11-26

📋Vendor Advisories

1
Red Hat
tomcat6: does not use HTTPOnly for session cookies by default2010-11-22

💬Community

1
Bugzilla
CVE-2010-4312 tomcat6: does not use HTTPOnly for session cookies by default2010-11-29
CVE-2010-4312 — Apache Tomcat vulnerability | cvebase