CVE-2007-5333

Apache Tomcat 6.0.15 - Cookie Quote Handling Remote Information Disclosure

Severity Score

4.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.

Apache Tomcat 6.0.0 hasta 6.0.14, 5.5.0 hasta 5.5.25, 4.1.36 y 4.1.0 al no manejar adecuadamente secuencias (1) caracteres de dobles comillas (") o (2) secuencias de contrabarra codificadas %5C en un valor de cookie, podría provocar que información sensible como los IDs de sesión sean filtradas a atacantes remotos, así como habilitar ataques de secuestro de sesión. NOTA: este problema existe debido a una arreglo erroneo de CVE-2007-3385.

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle characters or sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked this issue exists because of an incomplete fix for CVE-2007-3385. Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via. sequences and the WEB-INF directory in a Request. Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. Other issues have also been addressed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-10-10 CVE Reserved
2008-02-09 First Exploit
2008-02-11 CVE Published
2024-08-07 CVE Updated
2025-07-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (58)

URL	Tag	Source
http://jvn.jp/jp/JVN%2309470767/index.html	Third Party Advisory
http://secunia.com/advisories/28878	Broken Link
http://secunia.com/advisories/28884	Broken Link
http://secunia.com/advisories/28915	Broken Link
http://secunia.com/advisories/29711	Broken Link
http://secunia.com/advisories/30676	Broken Link
http://secunia.com/advisories/30802	Broken Link
http://secunia.com/advisories/32036	Broken Link
http://secunia.com/advisories/32222	Broken Link
http://secunia.com/advisories/33330	Broken Link
http://secunia.com/advisories/37460	Broken Link
http://secunia.com/advisories/44183	Broken Link
http://secunia.com/advisories/57126	Broken Link
http://securityreason.com/securityalert/3636	Broken Link
http://support.apple.com/kb/HT2163	Third Party Advisory
http://support.apple.com/kb/HT3216	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg24018932	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg27012047	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg27012048	Third Party Advisory
http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp08/html-single/Release_Notes/index.html	Third Party Advisory
http://www.securityfocus.com/archive/1/487822/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/507985/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/31681	Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2008-0010.html	Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2009-0016.html	Third Party Advisory
http://www.vupen.com/english/advisories/2008/0488	Url Repurposed
http://www.vupen.com/english/advisories/2008/1856/references	Url Repurposed
http://www.vupen.com/english/advisories/2008/1981/references	Url Repurposed
http://www.vupen.com/english/advisories/2008/2690	Url Repurposed
http://www.vupen.com/english/advisories/2008/2780	Url Repurposed
http://www.vupen.com/english/advisories/2009/3316	Url Repurposed
https://bugzilla.redhat.com/show_bug.cgi?id=532111	Issue Tracking
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11177	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/31130	2008-02-09
http://www.securityfocus.com/bid/27706	2024-08-07

URL	Date	SRC

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html	2023-11-07
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html	2023-11-07
http://marc.info/?l=bugtraq&m=139344343412337&w=2	2023-11-07
http://security.gentoo.org/glsa/glsa-200804-10.xml	2023-11-07
http://tomcat.apache.org/security-4.html	2023-11-07
http://tomcat.apache.org/security-5.html	2023-11-07
http://tomcat.apache.org/security-6.html	2023-11-07
http://www-1.ibm.com/support/docview.wss?uid=swg1IZ20133	2023-11-07
http://www-1.ibm.com/support/docview.wss?uid=swg1IZ20991	2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2009:018	2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176	2023-11-07
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html	2023-11-07
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html	2023-11-07
https://access.redhat.com/security/cve/CVE-2007-5333	2010-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=427766	2010-08-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 4.1.0 <= 4.1.36 Search vendor "Apache" for product "Tomcat" and version " >= 4.1.0 <= 4.1.36"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 5.5.0 <= 5.5.25 Search vendor "Apache" for product "Tomcat" and version " >= 5.5.0 <= 5.5.25"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 6.0.0 <= 6.0.14 Search vendor "Apache" for product "Tomcat" and version " >= 6.0.0 <= 6.0.14"		-		Affected