Description
The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.
Remediation
References
http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request/
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-0834.html
http://rhn.redhat.com/errata/RHSA-2013-0839.html
http://rhn.redhat.com/errata/RHSA-2013-1437.html
https://issues.jboss.org/browse/JBWEB-249
Related Vulnerabilities
CVE-2023-28935 Vulnerability in maven package org.apache.uima:uima-ducc-parent
CVE-2018-1999035 Vulnerability in maven package com.inedo.buildmaster:inedo-buildmaster
CVE-2017-1000394 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2014-0229 Vulnerability in maven package org.apache.hadoop:hadoop-hdfs