Description

The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.

Remediation

References

http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request/

http://rhn.redhat.com/errata/RHSA-2013-0833.html

http://rhn.redhat.com/errata/RHSA-2013-0834.html

http://rhn.redhat.com/errata/RHSA-2013-0839.html

http://rhn.redhat.com/errata/RHSA-2013-1437.html

https://issues.jboss.org/browse/JBWEB-249

Related Vulnerabilities

CVE-2015-5207 Vulnerability in npm package cordova-ios

CVE-2023-32695 Vulnerability in maven package org.webjars.npm:socket.io-parser

CVE-2014-0119 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2015-5241 Vulnerability in maven package org.apache.juddi:juddi-client

CVE-2018-8024 Vulnerability in maven package org.apache.spark:spark-core

Severity

Critical

Tags

Vendor Advisory NVD-CWE-noinfo