Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-0128

Related Vulnerabilities

PostgreSQL Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2005-0227)

Jboss EAP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-10934)

WordPress Plugin Audio Record Arbitrary File Upload (1.0)

WordPress Plugin Real Media Library:Media Library Folder & File Manager Cross-Site Scripting (4.14.1)

WordPress Plugin Pods-Custom Content Types and Fields Multiple Vulnerabilities (2.4.3)

Severity

Medium

Classification

CVE-2008-0128

Tags

Missing Update Known Vulnerabilities