Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-3382

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2007-3382
Last Modified 07 Mar 2011 09:56:11
Published 14 Aug 2007 06:17:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2007-3382

Summary

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

Vulnerable Systems

Application

  • Apache Tomcat 3.3

  • Apache Tomcat 3.3.1

  • Apache Tomcat 3.3.1a

  • Apache Tomcat 3.3.2

  • Apache Tomcat 4.1.0

  • Apache Tomcat 4.1.1

  • Apache Tomcat 4.1.10

  • Apache Tomcat 4.1.15

  • Apache Tomcat 4.1.2

  • Apache Tomcat 4.1.24

  • Apache Tomcat 4.1.28

  • Apache Tomcat 4.1.3

  • Apache Tomcat 4.1.31

  • Apache Tomcat 4.1.36

  • Apache Tomcat 4.1.9

  • Apache Tomcat 5.0.0

  • Apache Tomcat 5.0.1

  • Apache Tomcat 5.0.10

  • Apache Tomcat 5.0.11

  • Apache Tomcat 5.0.12

  • Apache Tomcat 5.0.13

  • Apache Tomcat 5.0.14

  • Apache Tomcat 5.0.15

  • Apache Tomcat 5.0.16

  • Apache Tomcat 5.0.17

  • Apache Tomcat 5.0.18

  • Apache Tomcat 5.0.19

  • Apache Tomcat 5.0.2

  • Apache Tomcat 5.0.21

  • Apache Tomcat 5.0.22

  • Apache Tomcat 5.0.23

  • Apache Tomcat 5.0.24

  • Apache Tomcat 5.0.25

  • Apache Tomcat 5.0.26

  • Apache Tomcat 5.0.27

  • Apache Tomcat 5.0.28

  • Apache Tomcat 5.0.29

  • Apache Tomcat 5.0.3

  • Apache Tomcat 5.0.30

  • Apache Tomcat 5.0.4

  • Apache Tomcat 5.0.5

  • Apache Tomcat 5.0.6

  • Apache Tomcat 5.0.7

  • Apache Tomcat 5.0.8

  • Apache Tomcat 5.0.9

  • Apache Tomcat 5.5.0

  • Apache Tomcat 5.5.1

  • Apache Tomcat 5.5.10

  • Apache Tomcat 5.5.11

  • Apache Tomcat 5.5.12

  • Apache Tomcat 5.5.13

  • Apache Tomcat 5.5.14

  • Apache Tomcat 5.5.15

  • Apache Tomcat 5.5.16

  • Apache Tomcat 5.5.17

  • Apache Tomcat 5.5.18

  • Apache Tomcat 5.5.19

  • Apache Tomcat 5.5.2

  • Apache Tomcat 5.5.20

  • Apache Tomcat 5.5.21

  • Apache Tomcat 5.5.22

  • Apache Tomcat 5.5.23

  • Apache Tomcat 5.5.24

  • Apache Tomcat 5.5.3

  • Apache Tomcat 5.5.4

  • Apache Tomcat 5.5.5

  • Apache Tomcat 5.5.6

  • Apache Tomcat 5.5.7

  • Apache Tomcat 5.5.8

  • Apache Tomcat 5.5.9

  • Apache Tomcat 6.0.0

  • Apache Tomcat 6.0.1

  • Apache Tomcat 6.0.10

  • Apache Tomcat 6.0.11

  • Apache Tomcat 6.0.12

  • Apache Tomcat 6.0.13

  • Apache Tomcat 6.0.2

  • Apache Tomcat 6.0.3

  • Apache Tomcat 6.0.4

  • Apache Tomcat 6.0.5

  • Apache Tomcat 6.0.6

  • Apache Tomcat 6.0.7

  • Apache Tomcat 6.0.8

  • Apache Tomcat 6.0.9


References

BUGTRAQ - 20070814 Re: CVE-2007-3382: Handling of cookies containing a ' character

CERT-VN - VU#993544

BUGTRAQ - 20070814 CVE-2007-3382: Handling of cookies containing a ' character

CONFIRM - http://tomcat.apache.org/security-6.html

VUPEN - ADV-2009-0233

VUPEN - ADV-2008-1981

VUPEN - ADV-2007-3527

VUPEN - ADV-2007-3386

VUPEN - ADV-2007-2902

BUGTRAQ - 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)

BUGTRAQ - 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities

AIXAPAR - IZ55562

CONFIRM - http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

CONFIRM - http://support.apple.com/kb/HT2163

SECUNIA - 36486

SECUNIA - 33668

SECUNIA - 30802

SUSE - SUSE-SR:2009:004

APPLE - APPLE-SA-2008-06-30

HP - SSRT071472

HP - SSRT071447

CONFIRM - http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

FEDORA - FEDORA-2007-3456

XF - tomcat-quotecookie-information-disclosure(36006)

BID - 25316

REDHAT - RHSA-2008:0261

REDHAT - RHSA-2008:0195

REDHAT - RHSA-2007:0950

REDHAT - RHSA-2007:0871

MANDRIVA - MDKSA-2007:241

DEBIAN - DSA-1453

DEBIAN - DSA-1447

SECTRACK - 1018556

SECUNIA - 29242

SECUNIA - 28361

SECUNIA - 28317

SECUNIA - 27727

SECUNIA - 27267

SECUNIA - 27037

SECUNIA - 26898

SECUNIA - 26466

SUSE - SUSE-SR:2008:005

HP - HPSBTU02276

HP - HPSBUX02262

Related Patches

Apple 2008-06-30 Security Update 2008-004 (PPC)

Apple 2008-06-30 Security Update 2008-004 Server (PPC)

Apple 2008-06-30 Security Update 2008-004 (Intel)

Apple 2008-06-30 Security Update 2008-004 Server (Intel)


Last Updated: 27 May 2016 11:02:30