Upstream information
Description
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| National Vulnerability Database | |
|---|---|
| Base Score | 5 |
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
SUSE Security Advisories:
- SUSE-SR:2008:005, published Thu, 06 Mar 2008 13:00:00 +0000
- TID7006398, published Sat May 19 21:49:58 CEST 2018
SUSE Timeline for this CVE
CVE page created: Fri Jun 28 02:24:32 2013CVE page last modified: Fri Dec 8 16:24:28 2023