[CVE-2007-5333] Unauthorized disclosure of information
Bug #220540 reported by
Matti Lindell
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tomcat5.5 (Debian) |
Fix Released
|
Unknown
|
|||
tomcat5.5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: tomcat5.5
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
http://
Edgy, Feisty, Gutsy and Hardy are affected. Dapper doesn't have the package. Fixed version is available in Debian.
CVE References
description: | updated |
Changed in tomcat5.5: | |
status: | Unknown → Fix Released |
To post a comment you must log in.
Please check https:/ /launchpad. net/bugs/ cve/CVE- XXXX-XXXX before filing duplicates.