CVE-2007-3382

Published: Aug 14, 2007Modified: Apr 23, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

Affected (85)

Products: Apache: Tomcat

Apache

1 product

Tomcat

Configuration A

85 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 3.3.1
Apache Tomcat	Version 3.3.1a
Apache Tomcat	Version 3.3.2
Apache Tomcat	Version 3.3
Apache Tomcat	Version 4.1.0
Apache Tomcat	Version 4.1.10
Apache Tomcat	Version 4.1.15
Apache Tomcat	Version 4.1.1
Apache Tomcat	Version 4.1.24
Apache Tomcat	Version 4.1.28
Apache Tomcat	Version 4.1.2
Apache Tomcat	Version 4.1.31
Apache Tomcat	Version 4.1.36
Apache Tomcat	Version 4.1.3
Apache Tomcat	Version 4.1.3 beta
Apache Tomcat	Version 4.1.9 beta
Apache Tomcat	Version 5.0.0
Apache Tomcat	Version 5.0.10
Apache Tomcat	Version 5.0.11
Apache Tomcat	Version 5.0.12
Apache Tomcat	Version 5.0.13
Apache Tomcat	Version 5.0.14
Apache Tomcat	Version 5.0.15
Apache Tomcat	Version 5.0.16
Apache Tomcat	Version 5.0.17
Apache Tomcat	Version 5.0.18
Apache Tomcat	Version 5.0.19
Apache Tomcat	Version 5.0.1
Apache Tomcat	Version 5.0.21
Apache Tomcat	Version 5.0.22
Apache Tomcat	Version 5.0.23
Apache Tomcat	Version 5.0.24
Apache Tomcat	Version 5.0.25
Apache Tomcat	Version 5.0.26
Apache Tomcat	Version 5.0.27
Apache Tomcat	Version 5.0.28
Apache Tomcat	Version 5.0.29
Apache Tomcat	Version 5.0.2
Apache Tomcat	Version 5.0.30
Apache Tomcat	Version 5.0.3
Apache Tomcat	Version 5.0.4
Apache Tomcat	Version 5.0.5
Apache Tomcat	Version 5.0.6
Apache Tomcat	Version 5.0.7
Apache Tomcat	Version 5.0.8
Apache Tomcat	Version 5.0.9
Apache Tomcat	Version 5.5.0
Apache Tomcat	Version 5.5.10
Apache Tomcat	Version 5.5.11
Apache Tomcat	Version 5.5.12
Apache Tomcat	Version 5.5.13
Apache Tomcat	Version 5.5.14
Apache Tomcat	Version 5.5.15
Apache Tomcat	Version 5.5.16
Apache Tomcat	Version 5.5.17
Apache Tomcat	Version 5.5.18
Apache Tomcat	Version 5.5.19
Apache Tomcat	Version 5.5.1
Apache Tomcat	Version 5.5.20
Apache Tomcat	Version 5.5.21
Apache Tomcat	Version 5.5.22
Apache Tomcat	Version 5.5.23
Apache Tomcat	Version 5.5.24
Apache Tomcat	Version 5.5.2
Apache Tomcat	Version 5.5.3
Apache Tomcat	Version 5.5.4
Apache Tomcat	Version 5.5.5
Apache Tomcat	Version 5.5.6
Apache Tomcat	Version 5.5.7
Apache Tomcat	Version 5.5.8
Apache Tomcat	Version 5.5.9
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.9

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (92)

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

Source: secalert@redhat.com

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

Source: secalert@redhat.com

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554

Source: secalert@redhat.com

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

Source: secalert@redhat.com

http://secunia.com/advisories/26466

Source: secalert@redhat.com

http://secunia.com/advisories/26898

Source: secalert@redhat.com

http://secunia.com/advisories/27037

Source: secalert@redhat.com

http://secunia.com/advisories/27267

Source: secalert@redhat.com

http://secunia.com/advisories/27727

Source: secalert@redhat.com

http://secunia.com/advisories/28317

Source: secalert@redhat.com

http://secunia.com/advisories/28361

Source: secalert@redhat.com

http://secunia.com/advisories/29242

Source: secalert@redhat.com

http://secunia.com/advisories/30802

Source: secalert@redhat.com

http://secunia.com/advisories/33668

Source: secalert@redhat.com

http://secunia.com/advisories/36486

Source: secalert@redhat.com

http://securitytracker.com/id?1018556

Source: secalert@redhat.com

http://support.apple.com/kb/HT2163

Source: secalert@redhat.com

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

Source: secalert@redhat.com

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

Patch

http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562

Source: secalert@redhat.com

http://www.debian.org/security/2008/dsa-1447

Source: secalert@redhat.com

http://www.debian.org/security/2008/dsa-1453

Source: secalert@redhat.com

http://www.kb.cert.org/vuls/id/993544

Source: secalert@redhat.com

PatchUS Government Resource

http://www.mandriva.com/security/advisories?name=MDKSA-2007:241

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2007-0871.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2007-0950.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2008-0195.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2008-0261.html

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/476442/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/476466/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/500396/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/500412/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/bid/25316

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2007/2902

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2007/3386

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2007/3527

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2008/1981/references

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2009/0233

Source: secalert@redhat.com

https://exchange.xforce.ibmcloud.com/vulnerabilities/36006

Source: secalert@redhat.com

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269

Source: secalert@redhat.com

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html

Source: secalert@redhat.com

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx