Description
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Remediation
References
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
http://rhn.redhat.com/errata/RHSA-2008-0630.html
http://secunia.com/advisories/28549
http://secunia.com/advisories/28552
http://secunia.com/advisories/29242
http://secunia.com/advisories/31493
http://secunia.com/advisories/33668
http://security-tracker.debian.net/tracker/CVE-2008-0128
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
http://www.debian.org/security/2008/dsa-1468
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://www.securityfocus.com/archive/1/500396/100/0/threaded
http://www.securityfocus.com/archive/1/500412/100/0/threaded
http://www.securityfocus.com/bid/27365
http://www.vupen.com/english/advisories/2008/0192
http://www.vupen.com/english/advisories/2009/0233
https://exchange.xforce.ibmcloud.com/vulnerabilities/39804
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2022-39249 Vulnerability in npm package matrix-js-sdk
CVE-2019-17592 Vulnerability in maven package org.webjars.npm:csv-parse
CVE-2019-13127 Vulnerability in maven package org.webjars.bowergithub.jgraph:mxgraph
CVE-2021-21290 Vulnerability in maven package io.netty:netty-testsuite
CVE-2023-25158 Vulnerability in maven package org.geotools.jdbc:gt-jdbc-oracle