Apache Tomcat version older than 6.0.9

Description

This alert was generated using only banner information. It may be a false positive.

Fixed in Apache Tomcat 6.0.9:
  • moderate: Session hi-jacking CVE-2008-0128
    When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server.

Affected Apache Tomcat version (6.0.0 - 6.0.8).

Remediation

Upgrade Apache Tomcat to the latest version.

References
Severity
Classification
Tags
  • Missing Update