Vulnerability Name: CVE-2007-5333 (CCN-40403) Assigned: 2007-10-10 Published: 2008-02-08 Updated: 2023-02-13 Summary: Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.Note CVE-2007-3385 . CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N 4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N 4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Consequences: Obtain Information References: Source: CCNCVE-2007-5333: Tomcat Cookie handling vulnerabilities CVE-2007-5333 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com Important: tomcat security update Important: tomcat5 security update Important: tomcat security update Important: tomcat security update Low: tomcat security update for Red Hat Network Satellite Server Moderate: Red Hat Certificate System 7.3 security update Apache Tomcat Multiple Vulnerabilities Apache Tomcat Cookie Handling Session ID Disclosure VMware ESX Server update for Tomcat and Java JRE Apple Mac OS X Security Update Fixes Multiple Vulnerabilities Tivoli Netcool/Webtop Security Issue and Information Disclosure Vulnerability Apple Mac OS X Security Update Fixes Multiple Vulnerabilities IBM Tivoli Netcool/Webtop Tomcat Vulnerability VMware Products Update for Multiple Packages Novell ZENworks Linux Management Tomcat Multiple Vulnerabilities BlackBerry Enterprise Server Multiple Vulnerabilities HP Network Node Manager i (NNMi) Multiple Vulnerabilities secalert@redhat.com secalert@redhat.com secalert@redhat.com About Security Update 2008-007 secalert@redhat.com secalert@redhat.com secalert@redhat.com Fixed in Apache Tomcat 6.0.16 - low: Session hi-jacking CVE-2007-5333 secalert@redhat.com Tivoli Netcool/Webtop secalert@redhat.com Fix list for Webtop Version 1.3.13 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com Tomcat: Multiple vulnerabilities secalert@redhat.com secalert@redhat.com Tomcat 5.0.28 in ZLM 7.3 subject to "Multiple Vendor Multiple HTTP Request Smuggling Vulnerabilities" secalert@redhat.com secalert@redhat.com secalert@redhat.com Apache Tomcat Cookie Quote Handling Remote Information Disclosure Vulnerability secalert@redhat.com RETIRED: Apple Mac OS X 2008-007 Multiple Security Vulnerabilities secalert@redhat.com Updated Tomcat and Java JRE packages for VMware ESX 3.5 secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com apache-tomcat-cookie-info-disclosure(40403) HP Network Node Manager I (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Denial of Service (DoS), Unauthorized Access, Execution of Arbitrary Code secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com secalert@redhat.com TADDM affected by multiple vulnerabilities due to Apache Tomcat libraries secalert@redhat.com secalert@redhat.com SUSE Security Summary Report Vulnerable Configuration: Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:tomcat:4.1.10:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.4:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.19:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.24:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.28:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.12:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.9:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.7:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.34:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.20:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.17:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.12:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.3:beta:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.31:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.36:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.9:beta:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.1:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.10:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.11:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.12:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.13:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.14:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.15:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.16:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.2:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.3:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.30:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.4:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.5:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.6:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.7:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.8:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.0.9:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.1:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.10:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.11:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.13:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.14:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.15:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.16:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.18:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.19:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.2:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.21:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.22:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.23:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.24:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.25:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.3:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.5:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.6:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:5.5.8:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.1:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.10:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.11:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.12:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.13:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.14:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.15:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.2:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.3:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.4:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.5:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.6:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.7:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.8:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:6.0.9:*:*:*:*:*:*:* OR cpe:/a:redhat:certificate_system:7.3:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.32:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:4.1.37:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool_webtop:2.1.0:*:*:*:*:*:*:* AND cpe:/o:gentoo:linux:-:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:x86_64:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:* OR cpe:/a:redhat:rhel_developer_suite:3:*:*:*:*:*:*:* OR cpe:/a:redhat:rhel_application_server:2:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.1:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.2:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:* OR cpe:/a:vmware:esx_server:3.5:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.3:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.4:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os_x_server:10.5.5:*:*:*:*:*:*:* OR cpe:/a:hp:network_node_manager_i:9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:* Oval Definitions Definition ID Class Title Last Modified oval:org.opensuse.security:def:20075333 V CVE-2007-5333 2015-11-16 oval:org.mitre.oval:def:29179 P RHSA-2009:1164 -- tomcat security update (Important) 2015-08-17 oval:org.mitre.oval:def:22721 P ELSA-2009:1164: tomcat security update (Important) 2014-05-26 oval:org.mitre.oval:def:11177 V Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. 2013-04-29 oval:com.redhat.rhsa:def:20091164 P RHSA-2009:1164: tomcat security update (Important) 2009-07-21
BACK
apache tomcat 4.1.10
apache tomcat 5.5.4
apache tomcat 5.0.19
apache tomcat 4.1.24
apache tomcat 5.0.28
apache tomcat 5.5.12
apache tomcat 5.5.9
apache tomcat 5.5.7
apache tomcat 4.1.34
apache tomcat 5.5.20
apache tomcat 5.5.17
apache tomcat 4.1.12
apache tomcat 4.1.3 beta
apache tomcat 4.1.31
apache tomcat 4.1.36
apache tomcat 4.1.9 beta
apache tomcat 5.0.1
apache tomcat 5.0.10
apache tomcat 5.0.11
apache tomcat 5.0.12
apache tomcat 5.0.13
apache tomcat 5.0.14
apache tomcat 5.0.15
apache tomcat 5.0.16
apache tomcat 5.0.2
apache tomcat 5.0.3
apache tomcat 5.0.30
apache tomcat 5.0.4
apache tomcat 5.0.5
apache tomcat 5.0.6
apache tomcat 5.0.7
apache tomcat 5.0.8
apache tomcat 5.0.9
apache tomcat 5.5.1
apache tomcat 5.5.10
apache tomcat 5.5.11
apache tomcat 5.5.13
apache tomcat 5.5.14
apache tomcat 5.5.15
apache tomcat 5.5.16
apache tomcat 5.5.18
apache tomcat 5.5.19
apache tomcat 5.5.2
apache tomcat 5.5.21
apache tomcat 5.5.22
apache tomcat 5.5.23
apache tomcat 5.5.24
apache tomcat 5.5.25
apache tomcat 5.5.3
apache tomcat 5.5.5
apache tomcat 5.5.6
apache tomcat 5.5.8
apache tomcat 6.0
apache tomcat 6.0.1
apache tomcat 6.0.10
apache tomcat 6.0.11
apache tomcat 6.0.12
apache tomcat 6.0.13
apache tomcat 6.0.14
apache tomcat 6.0.15
apache tomcat 6.0.2
apache tomcat 6.0.3
apache tomcat 6.0.4
apache tomcat 6.0.5
apache tomcat 6.0.6
apache tomcat 6.0.7
apache tomcat 6.0.8
apache tomcat 6.0.9
redhat certificate system 7.3
apache tomcat 4.1.32
apache tomcat 4.1.37
ibm tivoli netcool webtop 2.1.0
gentoo linux -
redhat enterprise linux 5
redhat enterprise linux 5
mandrakesoft mandrake linux 2008.0 x86_64
redhat enterprise linux 5
redhat rhel developer suite 3
redhat rhel application server 2
mandrakesoft mandrake linux 2008.0
mandrakesoft mandrake linux 2008.1 x86_64
apple mac os x server 10.5
apple mac os x server 10.5.1
apple mac os x server 10.5.2
mandrakesoft mandrake linux 2008.1
vmware esx server 3.5
apple mac os x server 10.5.3
apple mac os x server 10.5.4
apple mac os x server 10.5.5
hp network node manager i 9.0
ibm tivoli application dependency discovery manager 7.3.0.0
Denotes that component is vulnerable