CVE-2007-5333
The MITRE CVE dictionary describes this issue as:
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
Find out more about CVE-2007-5333 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5333
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Certificate System 7.3 for 4AS | RHSA-2010:0602 | 2010-08-04 |
| Red Hat Satellite 5.3 (RHEL v.4) (tomcat5) | RHSA-2009:1616 | 2009-11-30 |
| Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server (tomcat5) | RHSA-2009:1454 | 2009-09-21 |
| Red Hat Satellite 5.2 (RHEL v.4 AS) (tomcat5) | RHSA-2009:1616 | 2009-11-30 |
| Red Hat Developer Suite v.3 (AS v.4) (tomcat5) | RHSA-2009:1563 | 2009-11-09 |
| Red Hat JBoss Web Server 1.0 for RHEL 4 AS (tomcat5) | RHSA-2009:1454 | 2009-09-21 |
| Red Hat Application Server v2 4AS (tomcat5) | RHSA-2009:1562 | 2009-11-09 |
| Red Hat Enterprise Linux 5 (tomcat5) | RHSA-2009:1164 | 2009-07-21 |
CVE description copyright © 2017, The MITRE Corporation