// For flags

CVE-2008-0128

tomcat5 SSO cookie login information disclosure

Severity Score

5.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

El valor SingleSignOn (org.apache.catalina.authenticator.SingleSignOn) en Apache Tomcat anterior a 5.5.21 no asigna la bandera segura para la cookie JSESSIONIDSSO en una sesión http, haciéndolo más fácil para atacantes remotos para capturar esta cookie.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-01-07 CVE Reserved
  • 2008-01-22 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-09-11 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-16: Configuration
CAPEC
References (24)
URL Tag Source
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx X_refsource_confirm
http://secunia.com/advisories/29242 Third Party Advisory
http://secunia.com/advisories/31493 Third Party Advisory
http://secunia.com/advisories/33668 Third Party Advisory
http://security-tracker.debian.net/tracker/CVE-2008-0128 X_refsource_confirm
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 X_refsource_confirm
http://www.securityfocus.com/archive/1/500396/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/500412/100/0/threaded Mailing List
http://www.securityfocus.com/bid/27365 Vdb Entry
http://www.vupen.com/english/advisories/2008/0192 Vdb Entry
http://www.vupen.com/english/advisories/2009/0233 Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/39804 Vdb Entry
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E Mailing List
URL Date SRC
URL Date SRC
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217 2023-11-07
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2008-0630.html 2023-11-07
http://secunia.com/advisories/28549 2023-11-07
http://secunia.com/advisories/28552 2023-11-07
http://www.debian.org/security/2008/dsa-1468 2023-11-07
http://www.redhat.com/support/errata/RHSA-2008-0261.html 2023-11-07
https://access.redhat.com/security/cve/CVE-2008-0128 2010-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=429821 2010-08-04
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 <= 5.5.20
Search vendor "Apache" for product "Tomcat" and version " <= 5.5.20"
-
Affected