ID CVE-2007-3385
Summary Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 3.3
    cpe:2.3:a:apache:tomcat:3.3
  • Apache Software Foundation Tomcat 3.3.1
    cpe:2.3:a:apache:tomcat:3.3.1
  • Apache Software Foundation Tomcat 3.3.1a
    cpe:2.3:a:apache:tomcat:3.3.1a
  • Apache Software Foundation Tomcat 3.3.2
    cpe:2.3:a:apache:tomcat:3.3.2
  • Apache Software Foundation Tomcat 4.1.0
    cpe:2.3:a:apache:tomcat:4.1.0
  • Apache Software Foundation Tomcat 4.1.1
    cpe:2.3:a:apache:tomcat:4.1.1
  • Apache Software Foundation Tomcat 4.1.2
    cpe:2.3:a:apache:tomcat:4.1.2
  • Apache Software Foundation Tomcat 4.1.3
    cpe:2.3:a:apache:tomcat:4.1.3
  • Apache Software Foundation Tomcat 4.1.3 beta
    cpe:2.3:a:apache:tomcat:4.1.3:beta
  • Apache Software Foundation Tomcat 4.1.9 beta
    cpe:2.3:a:apache:tomcat:4.1.9:beta
  • Apache Software Foundation Tomcat 4.1.10
    cpe:2.3:a:apache:tomcat:4.1.10
  • Apache Software Foundation Tomcat 4.1.15
    cpe:2.3:a:apache:tomcat:4.1.15
  • Apache Software Foundation Tomcat 4.1.24
    cpe:2.3:a:apache:tomcat:4.1.24
  • Apache Software Foundation Tomcat 4.1.28
    cpe:2.3:a:apache:tomcat:4.1.28
  • Apache Software Foundation Tomcat 4.1.31
    cpe:2.3:a:apache:tomcat:4.1.31
  • Apache Software Foundation Tomcat 4.1.36
    cpe:2.3:a:apache:tomcat:4.1.36
  • Apache Software Foundation Tomcat 5.0.0
    cpe:2.3:a:apache:tomcat:5.0.0
  • Apache Software Foundation Tomcat 5.0.1
    cpe:2.3:a:apache:tomcat:5.0.1
  • Apache Software Foundation Tomcat 5.0.2
    cpe:2.3:a:apache:tomcat:5.0.2
  • Apache Software Foundation Tomcat 5.0.3
    cpe:2.3:a:apache:tomcat:5.0.3
  • Apache Software Foundation Tomcat 5.0.4
    cpe:2.3:a:apache:tomcat:5.0.4
  • Apache Software Foundation Tomcat 5.0.5
    cpe:2.3:a:apache:tomcat:5.0.5
  • Apache Software Foundation Tomcat 5.0.6
    cpe:2.3:a:apache:tomcat:5.0.6
  • Apache Software Foundation Tomcat 5.0.7
    cpe:2.3:a:apache:tomcat:5.0.7
  • Apache Software Foundation Tomcat 5.0.8
    cpe:2.3:a:apache:tomcat:5.0.8
  • Apache Software Foundation Tomcat 5.0.9
    cpe:2.3:a:apache:tomcat:5.0.9
  • Apache Software Foundation Tomcat 5.0.10
    cpe:2.3:a:apache:tomcat:5.0.10
  • Apache Software Foundation Tomcat 5.0.11
    cpe:2.3:a:apache:tomcat:5.0.11
  • Apache Software Foundation Tomcat 5.0.12
    cpe:2.3:a:apache:tomcat:5.0.12
  • Apache Software Foundation Tomcat 5.0.13
    cpe:2.3:a:apache:tomcat:5.0.13
  • Apache Software Foundation Tomcat 5.0.14
    cpe:2.3:a:apache:tomcat:5.0.14
  • Apache Software Foundation Tomcat 5.0.15
    cpe:2.3:a:apache:tomcat:5.0.15
  • Apache Software Foundation Tomcat 5.0.16
    cpe:2.3:a:apache:tomcat:5.0.16
  • Apache Software Foundation Tomcat 5.0.17
    cpe:2.3:a:apache:tomcat:5.0.17
  • Apache Software Foundation Tomcat 5.0.18
    cpe:2.3:a:apache:tomcat:5.0.18
  • Apache Software Foundation Tomcat 5.0.19
    cpe:2.3:a:apache:tomcat:5.0.19
  • Apache Software Foundation Tomcat 5.0.21
    cpe:2.3:a:apache:tomcat:5.0.21
  • Apache Software Foundation Tomcat 5.0.22
    cpe:2.3:a:apache:tomcat:5.0.22
  • Apache Software Foundation Tomcat 5.0.23
    cpe:2.3:a:apache:tomcat:5.0.23
  • Apache Software Foundation Tomcat 5.0.24
    cpe:2.3:a:apache:tomcat:5.0.24
  • Apache Software Foundation Tomcat 5.0.25
    cpe:2.3:a:apache:tomcat:5.0.25
  • Apache Software Foundation Tomcat 5.0.26
    cpe:2.3:a:apache:tomcat:5.0.26
  • Apache Software Foundation Tomcat 5.0.27
    cpe:2.3:a:apache:tomcat:5.0.27
  • Apache Software Foundation Tomcat 5.0.28
    cpe:2.3:a:apache:tomcat:5.0.28
  • Apache Software Foundation Tomcat 5.0.29
    cpe:2.3:a:apache:tomcat:5.0.29
  • Apache Software Foundation Tomcat 5.0.30
    cpe:2.3:a:apache:tomcat:5.0.30
  • Apache Software Foundation Tomcat 5.5.0
    cpe:2.3:a:apache:tomcat:5.5.0
  • Apache Software Foundation Tomcat 5.5.1
    cpe:2.3:a:apache:tomcat:5.5.1
  • Apache Software Foundation Tomcat 5.5.2
    cpe:2.3:a:apache:tomcat:5.5.2
  • Apache Software Foundation Tomcat 5.5.3
    cpe:2.3:a:apache:tomcat:5.5.3
  • Apache Software Foundation Tomcat 5.5.4
    cpe:2.3:a:apache:tomcat:5.5.4
  • Apache Software Foundation Tomcat 5.5.5
    cpe:2.3:a:apache:tomcat:5.5.5
  • Apache Software Foundation Tomcat 5.5.6
    cpe:2.3:a:apache:tomcat:5.5.6
  • Apache Software Foundation Tomcat 5.5.7
    cpe:2.3:a:apache:tomcat:5.5.7
  • Apache Software Foundation Tomcat 5.5.8
    cpe:2.3:a:apache:tomcat:5.5.8
  • Apache Software Foundation Tomcat 5.5.9
    cpe:2.3:a:apache:tomcat:5.5.9
  • Apache Software Foundation Tomcat 5.5.10
    cpe:2.3:a:apache:tomcat:5.5.10
  • Apache Software Foundation Tomcat 5.5.11
    cpe:2.3:a:apache:tomcat:5.5.11
  • Apache Software Foundation Tomcat 5.5.12
    cpe:2.3:a:apache:tomcat:5.5.12
  • Apache Software Foundation Tomcat 5.5.13
    cpe:2.3:a:apache:tomcat:5.5.13
  • Apache Software Foundation Tomcat 5.5.14
    cpe:2.3:a:apache:tomcat:5.5.14
  • Apache Software Foundation Tomcat 5.5.15
    cpe:2.3:a:apache:tomcat:5.5.15
  • Apache Software Foundation Tomcat 5.5.16
    cpe:2.3:a:apache:tomcat:5.5.16
  • Apache Software Foundation Tomcat 5.5.17
    cpe:2.3:a:apache:tomcat:5.5.17
  • Apache Software Foundation Tomcat 5.5.18
    cpe:2.3:a:apache:tomcat:5.5.18
  • Apache Software Foundation Tomcat 5.5.19
    cpe:2.3:a:apache:tomcat:5.5.19
  • Apache Software Foundation Tomcat 5.5.20
    cpe:2.3:a:apache:tomcat:5.5.20
  • Apache Software Foundation Tomcat 5.5.21
    cpe:2.3:a:apache:tomcat:5.5.21
  • Apache Software Foundation Tomcat 5.5.22
    cpe:2.3:a:apache:tomcat:5.5.22
  • Apache Software Foundation Tomcat 5.5.23
    cpe:2.3:a:apache:tomcat:5.5.23
  • Apache Software Foundation Tomcat 5.5.24
    cpe:2.3:a:apache:tomcat:5.5.24
  • Apache Software Foundation Tomcat 6.0.0
    cpe:2.3:a:apache:tomcat:6.0.0
  • Apache Software Foundation Tomcat 6.0.1
    cpe:2.3:a:apache:tomcat:6.0.1
  • Apache Software Foundation Tomcat 6.0.2
    cpe:2.3:a:apache:tomcat:6.0.2
  • Apache Software Foundation Tomcat 6.0.3
    cpe:2.3:a:apache:tomcat:6.0.3
  • Apache Software Foundation Tomcat 6.0.4
    cpe:2.3:a:apache:tomcat:6.0.4
  • Apache Software Foundation Tomcat 6.0.5
    cpe:2.3:a:apache:tomcat:6.0.5
  • Apache Software Foundation Tomcat 6.0.6
    cpe:2.3:a:apache:tomcat:6.0.6
  • Apache Software Foundation Tomcat 6.0.7
    cpe:2.3:a:apache:tomcat:6.0.7
  • Apache Software Foundation Tomcat 6.0.8
    cpe:2.3:a:apache:tomcat:6.0.8
  • Apache Software Foundation Tomcat 6.0.9
    cpe:2.3:a:apache:tomcat:6.0.9
  • Apache Software Foundation Tomcat 6.0.10
    cpe:2.3:a:apache:tomcat:6.0.10
  • Apache Software Foundation Tomcat 6.0.11
    cpe:2.3:a:apache:tomcat:6.0.11
  • Apache Software Foundation Tomcat 6.0.12
    cpe:2.3:a:apache:tomcat:6.0.12
  • Apache Software Foundation Tomcat 6.0.13
    cpe:2.3:a:apache:tomcat:6.0.13
CVSS
Base: 4.3 (as of 15-08-2007 - 13:39)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_JK-4997.NASL
    description Fixed various issues in tomcat : - CVE-2007-3382: Handling of cookies containing a ' character - CVE-2007-3385: Handling of \' in cookies - CVE-2007-5641: tomcat path traversal / information leak - CVE-2007-1860: directory traversal - CVE-2007-3386: tomcat XSS - CVE-2007-5342: insufficient access restrictions Additionally the dbcp namespace in commons-dbcp.jar was fixed.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 31338
    published 2008-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31338
    title openSUSE 10 Security Update : apache2-mod_jk (apache2-mod_jk-4997)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2008-004.NASL
    description The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-004 applied. This update contains security fixes for a number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 33282
    published 2008-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33282
    title Mac OS X Multiple Vulnerabilities (Security Update 2008-004)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0871.NASL
    description Updated tomcat packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and Java Server Pages technologies. Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382). It was reported Tomcat did not properly handle the following character sequence in a cookie: \' (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386). Users of Tomcat should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 26190
    published 2007-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26190
    title RHEL 5 : tomcat (RHSA-2007:0871)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_5_4.NASL
    description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.4. Mac OS X 10.5.4 contains security fixes for multiple components.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 33281
    published 2008-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33281
    title Mac OS X 10.5.x < 10.5.4 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1453.NASL
    description Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3382 It was discovered that single quotes (') in cookies were treated as a delimiter, which could lead to an information leak. - CVE-2007-3385 It was discovered that the character sequence \' in cookies was handled incorrectly, which could lead to an information leak. - CVE-2007-5461 It was discovered that the WebDAV servlet is vulnerable to absolute path traversal.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29872
    published 2008-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29872
    title Debian DSA-1453-1 : tomcat5 - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_WEBSPHERE-AS_CE-5850.NASL
    description Websphere has been updated to version 2.1.0.1 to fix several security vulnerabilities in the included subprojects, such as Apache Geronimo and Tomcat. (CVE-2007-0184 / CVE-2007-0185 / CVE-2007-2377 / CVE-2007-2449 / CVE-2007-2450 / CVE-2007-3382 / CVE-2007-3385 / CVE-2007-3386 / CVE-2007-5333 / CVE-2007-5342 / CVE-2007-5461 / CVE-2007-5613 / CVE-2007-5615 / CVE-2007-6286 / CVE-2008-0002 / CVE-2008-1232 / CVE-2008-1947 / CVE-2008-2370 / CVE-2008-2938)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 41596
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41596
    title SuSE 10 Security Update : Websphere Community Edition (ZYPP Patch Number 5850)
  • NASL family Web Servers
    NASL id TOMCAT_6_0_14.NASL
    description According to its self-reported version number, the Apache Tomcat instance listening on the remote host is prior to 6.0.14. It is, therefore, affected by the following vulnerabilities : - Cross-site scripting (XSS) vulnerabilities exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2007-2449, CVE-2007-2450, CVE-2007-3386) - Session hijacking vulnerabilities exists in Tomcat due to incorrect handling of specific special characters in cookie values. In certain cases an attacker could leverage this to leak sensitive information, such as the session ID. (CVE-2007-3382, CVE-2007-3385) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-11
    plugin id 121113
    published 2019-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121113
    title Apache Tomcat < 6.0.14 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1447.NASL
    description Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3382 It was discovered that single quotes (') in cookies were treated as a delimiter, which could lead to an information leak. - CVE-2007-3385 It was discovered that the character sequence \' in cookies was handled incorrectly, which could lead to an information leak. - CVE-2007-3386 It was discovered that the host manager servlet performed insufficient input validation, which could lead to a cross-site scripting attack. - CVE-2007-5342 It was discovered that the JULI logging component did not restrict its target path, resulting in potential denial of service through file overwrites. - CVE-2007-5461 It was discovered that the WebDAV servlet is vulnerable to absolute path traversal.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29856
    published 2008-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29856
    title Debian DSA-1447-1 : tomcat5.5 - several vulnerabilities
  • NASL family Web Servers
    NASL id TOMCAT_5_5_25.NASL
    description According to its self-reported version number, the instance Apache Tomcat running on the remote host is 5.0.x equal to or prior to 5.0.30 or 5.5.x prior to 5.5.25. It is, therefore, affected by multiple vulnerabilities : - An error exists in several JSP example files that allows script injection via URLs using the ';' character. (CVE-2007-2449) - The Manager and Host Manager applications do not properly sanitize the 'filename' parameter of the '/manager/html/upload' script, which can lead to cross- site scripting attacks. (CVE-2007-2450) - An error exists in the handling of cookie values containing single quotes which Tomcat treats as delimiters. This can allow disclosure of sensitive information such as session IDs. (CVE-2007-3382) - An error exists in the handling of cookie values containing backslashes which Tomcat treats as delimiters. This can allow disclosure of sensitive information such as session IDs. (CVE-2007-3385) - An error exists in the Host Manager application which allows script injection. (CVE-2007-3386) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 51059
    published 2010-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51059
    title Apache Tomcat 5.0.x <= 5.0.30 / 5.5.x < 5.5.25 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0871.NASL
    description Updated tomcat packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and Java Server Pages technologies. Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382). It was reported Tomcat did not properly handle the following character sequence in a cookie: \' (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386). Users of Tomcat should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43651
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43651
    title CentOS 5 : tomcat (CESA-2007:0871)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TOMCAT5-4990.NASL
    description - Cross-site scripting (XSS) vulnerability in example JSP applications. (CVE-2006-7196) - Handling of cookies containing a ' character. (CVE-2007-3382) - Handling of \' in cookies. (CVE-2007-3385) - tomcat path traversal / information leak. (CVE-2007-5641) - directory traversal. (CVE-2007-1860) - tomcat https information disclosure. (CVE-2008-0128) - tomcat HTTP Request Smuggling. (CVE-2005-2090)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 31298
    published 2008-02-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31298
    title SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 4990)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-3456.NASL
    description Updated Tomcat5 packages that fix several security bugs are now available for Fedora Core 7. This update includes fixes to the following : - CVE-2007-1355 - CVE-2007-3386 - CVE-2007-3385 - CVE-2007-3382 - CVE-2007-2450 - CVE-2007-2449 - CVE-2007-5461 - CVE-2007-1358 All users of tomcat are advised to update to these packages. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 28257
    published 2007-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28257
    title Fedora 7 : tomcat5-5.5.25-1jpp.1.fc7 (2007-3456)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12078.NASL
    description Fixed various issues in tomcat : - mod_jk directory traversal. (CVE-2007-1860) - Handling of cookies containing a ' character. (CVE-2007-3382) - Handling of a double-quote character in cookies. (CVE-2007-3385) - tomcat path traversal / information leak. (CVE-2007-5641) - tomcat HTTP Request Smuggling. (CVE-2005-2090) - tomcat https information disclosure. (CVE-2008-0128)
    last seen 2018-09-01
    modified 2016-12-21
    plugin id 41198
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41198
    title SuSE9 Security Update : Tomcat (YOU Patch Number 12078)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_JK-4992.NASL
    description Fixed various issues in tomcat : - CVE-2006-7196: Cross-site scripting (XSS) vulnerability in example JSP applications - CVE-2007-3382: Handling of cookies containing a ' character - CVE-2007-3385: Handling of \' in cookies - CVE-2007-5641: tomcat path traversal / information leak - CVE-2007-1860: directory traversal - CVE-2008-0128: tomcat https information disclosure - CVE-2005-2090: tomcat HTTP Request Smuggling
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 31319
    published 2008-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31319
    title openSUSE 10 Security Update : apache2-mod_jk (apache2-mod_jk-4992)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0261.NASL
    description Red Hat Network Satellite Server version 5.0.2 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components. This update has been rated as having moderate security impact by the Red Hat Security Response Team. During an internal security review, a cross-site scripting flaw was found that affected the Red Hat Network channel search feature. (CVE-2007-5961) This release also corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments. Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388) A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349) A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329) Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306) Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789) Two arbitrary code execution flaws were fixed in the OpenMotif package. (CVE-2005-3964, CVE-2005-0605) A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898) Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510) Users of Red Hat Network Satellite Server 5.0 are advised to upgrade to 5.0.2, which resolves these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 43835
    published 2010-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43835
    title RHEL 4 : Satellite Server (RHSA-2008:0261)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-241.NASL
    description A number of vulnerabilities were found in Tomcat : A directory traversal vulnerability, when using certain proxy modules, allows a remote attacker to read arbitrary files via a .. (dot dot) sequence with various slash, backslash, or url-encoded backslash characters (CVE-2007-0450; affects Mandriva Linux 2007.1 only). Multiple cross-site scripting vulnerabilities in certain JSP files allow remote attackers to inject arbitrary web script or HTML (CVE-2007-2449). Multiple cross-site scripting vulnerabilities in the Manager and Host Manager web applications allow remote authenticated users to inject arbitrary web script or HTML (CVE-2007-2450). Tomcat treated single quotes as delimiters in cookies, which could cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks (CVE-2007-3382). Tomcat did not properly handle the ' character sequence in a cookie value, which could cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks (CVE-2007-3385). A cross-site scripting vulnerability in the Host Manager servlet allowed remote attackers to inject arbitrary HTML and web script via crafted attacks (CVE-2007-3386). Finally, an absolute path traversal vulnerability, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag (CVE-2007-5461). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 38147
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38147
    title Mandrake Linux Security Advisory : tomcat5 (MDKSA-2007:241)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0524.NASL
    description Red Hat Network Satellite Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components. This update has been rated as having low security impact by the Red Hat Security Response Team. This release corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server 4.2. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments. Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388) A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349) A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329) Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306) Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789) Multiple flaws were fixed in the OpenMotif package. (CVE-2004-0687, CVE-2004-0688, CVE-2004-0914, CVE-2005-3964, CVE-2005-0605) A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898) Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510) Users of Red Hat Network Satellite Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 43837
    published 2010-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43837
    title RHEL 3 / 4 : Satellite Server (RHSA-2008:0524)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0871.NASL
    description From Red Hat Security Advisory 2007:0871 : Updated tomcat packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and Java Server Pages technologies. Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382). It was reported Tomcat did not properly handle the following character sequence in a cookie: \' (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386). Users of Tomcat should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67564
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67564
    title Oracle Linux 5 : tomcat (ELSA-2007-0871)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-3474.NASL
    description Updated Tomcat5 packages that fix several security bugs are now available for Fedora Core 8. This update includes fixes to the following : - CVE-2007-1355 - CVE-2007-3386 - CVE-2007-3385 - CVE-2007-3382 - CVE-2007-2450 - CVE-2007-2449 - CVE-2007-5461 - CVE-2007-1358 All users of tomcat are advised to update to these packages. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 28258
    published 2007-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28258
    title Fedora 8 : tomcat5-5.5.25-1jpp.1.fc8 (2007-3474)
  • NASL family Web Servers
    NASL id TOMCAT_4_1_37.NASL
    description According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.37. It is, therefore, affected by the following vulnerabilities : - The remote Apache Tomcat install may be vulnerable to an information disclosure attack if the deprecated AJP connector processes a client request having a non-zero Content-Length and the client disconnects before sending the request body. (CVE-2005-3164) - The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the JSP and Servlet examples are enabled. Several of these examples do not properly validate user input. (CVE-2007-1355, CVE-2007-2449) - The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the Manager web application is enabled as it fails to escape input data. (CVE-2007-2450) - The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. Apache Tomcat treats the single quote character in a cookie as a delimiter which can lead to information, such as session ID, to be disclosed. (CVE-2007-3382) - The remote Apache Tomcat install may be vulnerable to a cross-site scripting attack if the SendMailServlet is enabled. The SendMailServlet is a part of the examples web application and, when reporting error messages, fails to escape user provided data. (CVE-2007-3383) - The remote Apache Tomcat install may be vulnerable to an information disclosure attack via cookies. The previous fix for CVE-2007-3385 was incomplete and did not account for the use of quotes or '%5C' in cookie values. (CVE-2007-3385, CVE-2007-5333) - The remote Apache Tomcat install may be vulnerable to an information disclosure attack via the WebDAV servlet. Certain WebDAV requests, containing an entity with a SYSTEM tag, can result in the disclosure of arbitrary file contents. (CVE-2007-5461) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number..
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 47030
    published 2010-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47030
    title Apache Tomcat 4.x < 4.1.37 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1069.NASL
    description Updated tomcat packages that fix multiple security issues are now available for Red Hat Network Satellite Server. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. It was reported Tomcat did not properly handle the following character sequence in a cookie: \' (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382). The default Tomcat configuration permitted the use of insecure SSL cipher suites including the anonymous cipher suite. (CVE-2007-1858) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) Directory listings were enabled by default in Tomcat. Information stored unprotected under the document root was visible to anyone if the administrator did not disable directory listings. (CVE-2006-3835) It was found that generating listings of large directories was CPU intensive. An attacker could make repeated requests to obtain a directory listing of any large directory, leading to a denial of service. (CVE-2005-3510) Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues, and add the tyrex and jakarta-commons-pool packages which are required dependencies of the new Tomcat version.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 43834
    published 2010-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43834
    title RHEL 3 / 4 : tomcat in Satellite Server (RHSA-2007:1069)
oval via4
accepted 2013-04-29T04:20:10.665-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
family unix
id oval:org.mitre.oval:def:9549
status accepted
submitted 2010-07-09T03:56:16-04:00
title Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
version 18
redhat via4
advisories
  • rhsa
    id RHSA-2007:0871
  • rhsa
    id RHSA-2007:0950
  • rhsa
    id RHSA-2008:0195
  • rhsa
    id RHSA-2008:0261
rpms
  • tomcat5-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-admin-webapps-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-common-lib-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-jasper-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-jasper-javadoc-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-jsp-2.0-api-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-server-lib-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-servlet-2.4-api-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.3.0.2.el5
  • tomcat5-webapps-0:5.5.23-0jpp.3.0.2.el5
refmap via4
aixapar IZ55562
apple APPLE-SA-2008-06-30
bid 25316
bugtraq
  • 20070814 CVE-2007-3385: Handling of \" in cookies
  • 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
  • 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
cert-vn VU#993544
confirm
debian
  • DSA-1447
  • DSA-1453
fedora FEDORA-2007-3456
hp
  • HPSBTU02276
  • HPSBUX02262
  • SSRT071447
  • SSRT071472
mandriva MDKSA-2007:241
mlist
  • [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
sectrack 1018557
secunia
  • 26466
  • 26898
  • 27037
  • 27267
  • 27727
  • 28317
  • 28361
  • 29242
  • 30802
  • 33668
  • 36486
  • 44183
sreason 3011
suse
  • SUSE-SR:2008:005
  • SUSE-SR:2009:004
vupen
  • ADV-2007-2902
  • ADV-2007-3386
  • ADV-2007-3527
  • ADV-2008-1981
  • ADV-2009-0233
xf tomcat-slashcookie-information-disclosure(35999)
Last major update 20-04-2011 - 21:55
Published 14-08-2007 - 18:17
Last modified 25-03-2019 - 07:29
Back to Top