GHSA-qff8-g48j-pwpw — medium GitHub Advisory (CVE-2007-3382) in maven/org.apache.tomcat:tomcat

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes (') as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Not specified
Published (advisory): 2022-05-01 18:13:14 UTC
Updated: 2023-09-22 21:05:32 UTC
GitHub reviewed: 2023-09-22 21:05:30 UTC
NVD published: 2007-08-14

Score	Percentile
83.91%	99.29%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-qff8-g48j-pwpw ↗
CVE	CVE-2007-3382 ↗

CWEs

CWE id	Name
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor

Affected packages (5)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	org.apache.tomcat:tomcat	>= 6.0.0, <= 6.0.13	—	—
maven	org.apache.tomcat:tomcat	>= 5.5.0, <= 5.5.24	—	—
maven	org.apache.tomcat:tomcat	>= 5.0.0, <= 5.0.30	—	—
maven	org.apache.tomcat:tomcat	>= 4.1.0, <= 4.1.36	—	—
maven	org.apache.tomcat:tomcat	>= 3.3.0, <= 3.3.2	—	—

Apache Tomcat treats single quotes as delimiters in cookies