CVE-2012-4529

5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.6%

top 31.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Community Application Server Redhat Jboss Enterprise Application Platform

Timeline

PublishedOct 28

Latest updateMay 17

Description

The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDredhat/jboss_community_application_server7.1.1+9

▶NVDredhat/jboss_enterprise_application_platform6.0.0

🔴Vulnerability Details

GHSA

GHSA-jfrq-h23h-p4q6: The org↗2022-05-17

▶

CVEList

CVE-2012-4529: The org↗2013-10-28

▶

📋Vendor Advisories

Red Hat

Web: jsessionid exposed via encoded url when using cookie based session tracking↗2012-10-10

▶

💬Community

Bugzilla

CVE-2012-4529 JBoss Web: jsessionid exposed via encoded url when using cookie based session tracking↗2012-10-19

▶