CVE-2007-3382: Infoleak
First published: Tue Aug 14 2007(Updated: )
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.tomcat:tomcat | >=3.3.0<=3.3.2 | |
| maven/org.apache.tomcat:tomcat | >=4.1.0<=4.1.36 | |
| maven/org.apache.tomcat:tomcat | >=5.0.0<=5.0.30 | |
| maven/org.apache.tomcat:tomcat | >=5.5.0<=5.5.24 | |
| maven/org.apache.tomcat:tomcat | >=6.0.0<=6.0.13 | |
| Tomcat | =3.3 | |
| Tomcat | =3.3.1 | |
| Tomcat | =3.3.1a | |
| Tomcat | =3.3.2 | |
| Tomcat | =4.1.0 | |
| Tomcat | =4.1.1 | |
| Tomcat | =4.1.2 | |
| Tomcat | =4.1.3 | |
| Tomcat | =4.1.3-beta | |
| Tomcat | =4.1.9-beta | |
| Tomcat | =4.1.10 | |
| Tomcat | =4.1.15 | |
| Tomcat | =4.1.24 | |
| Tomcat | =4.1.28 | |
| Tomcat | =4.1.31 | |
| Tomcat | =4.1.36 | |
| Tomcat | =5.0.0 | |
| Tomcat | =5.0.1 | |
| Tomcat | =5.0.2 | |
| Tomcat | =5.0.3 | |
| Tomcat | =5.0.4 | |
| Tomcat | =5.0.5 | |
| Tomcat | =5.0.6 | |
| Tomcat | =5.0.7 | |
| Tomcat | =5.0.8 | |
| Tomcat | =5.0.9 | |
| Tomcat | =5.0.10 | |
| Tomcat | =5.0.11 | |
| Tomcat | =5.0.12 | |
| Tomcat | =5.0.13 | |
| Tomcat | =5.0.14 | |
| Tomcat | =5.0.15 | |
| Tomcat | =5.0.16 | |
| Tomcat | =5.0.17 | |
| Tomcat | =5.0.18 | |
| Tomcat | =5.0.19 | |
| Tomcat | =5.0.21 | |
| Tomcat | =5.0.22 | |
| Tomcat | =5.0.23 | |
| Tomcat | =5.0.24 | |
| Tomcat | =5.0.25 | |
| Tomcat | =5.0.26 | |
| Tomcat | =5.0.27 | |
| Tomcat | =5.0.28 | |
| Tomcat | =5.0.29 | |
| Tomcat | =5.0.30 | |
| Tomcat | =5.5.0 | |
| Tomcat | =5.5.1 | |
| Tomcat | =5.5.2 | |
| Tomcat | =5.5.3 | |
| Tomcat | =5.5.4 | |
| Tomcat | =5.5.5 | |
| Tomcat | =5.5.6 | |
| Tomcat | =5.5.7 | |
| Tomcat | =5.5.8 | |
| Tomcat | =5.5.9 | |
| Tomcat | =5.5.10 | |
| Tomcat | =5.5.11 | |
| Tomcat | =5.5.12 | |
| Tomcat | =5.5.13 | |
| Tomcat | =5.5.14 | |
| Tomcat | =5.5.15 | |
| Tomcat | =5.5.16 | |
| Tomcat | =5.5.17 | |
| Tomcat | =5.5.18 | |
| Tomcat | =5.5.19 | |
| Tomcat | =5.5.20 | |
| Tomcat | =5.5.21 | |
| Tomcat | =5.5.22 | |
| Tomcat | =5.5.23 | |
| Tomcat | =5.5.24 | |
| Tomcat | =6.0.0 | |
| Tomcat | =6.0.1 | |
| Tomcat | =6.0.2 | |
| Tomcat | =6.0.3 | |
| Tomcat | =6.0.4 | |
| Tomcat | =6.0.5 | |
| Tomcat | =6.0.6 | |
| Tomcat | =6.0.7 | |
| Tomcat | =6.0.8 | |
| Tomcat | =6.0.9 | |
| Tomcat | =6.0.10 | |
| Tomcat | =6.0.11 | |
| Tomcat | =6.0.12 | |
| Tomcat | =6.0.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2007-3382
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36006
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
- http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
- http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://support.apple.com/kb/HT2163
- http://tomcat.apache.org/security-6.html
- http://www.debian.org/security/2008/dsa-1447
- http://www.debian.org/security/2008/dsa-1453
- http://www.redhat.com/support/errata/RHSA-2007-0871.html
- http://www.redhat.com/support/errata/RHSA-2007-0950.html
- http://www.redhat.com/support/errata/RHSA-2008-0195.html
- http://www.redhat.com/support/errata/RHSA-2008-0261.html
- https://github.com/advisories/GHSA-qff8-g48j-pwpw (Advisory)
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
- http://secunia.com/advisories/26466
- http://secunia.com/advisories/26898
- http://secunia.com/advisories/27037
- http://secunia.com/advisories/27267
- http://secunia.com/advisories/27727
- http://secunia.com/advisories/28317
- http://secunia.com/advisories/28361
- http://secunia.com/advisories/29242
- http://secunia.com/advisories/30802
- http://secunia.com/advisories/33668
- http://secunia.com/advisories/36486
- http://securitytracker.com/id?1018556
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
- http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562
- http://www.kb.cert.org/vuls/id/993544
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
- http://www.securityfocus.com/archive/1/476442/100/0/threaded
- http://www.securityfocus.com/archive/1/476466/100/0/threaded
- http://www.securityfocus.com/archive/1/500396/100/0/threaded
- http://www.securityfocus.com/archive/1/500412/100/0/threaded
- http://www.securityfocus.com/bid/25316
- http://www.vupen.com/english/advisories/2007/2902
- http://www.vupen.com/english/advisories/2007/3386
- http://www.vupen.com/english/advisories/2007/3527
- http://www.vupen.com/english/advisories/2008/1981/references
- http://www.vupen.com/english/advisories/2009/0233
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11269
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2007-3382?
CVE-2007-3382 is considered to have a medium severity, as it can lead to session hijacking attacks.
How do I fix CVE-2007-3382?
To fix CVE-2007-3382, upgrade Apache Tomcat to version 6.0.14 or later, or to version 5.5.25 or later.
What versions of Apache Tomcat are affected by CVE-2007-3382?
CVE-2007-3382 affects Apache Tomcat versions from 3.3 to 6.0.13.
What type of exploitation is associated with CVE-2007-3382?
CVE-2007-3382 can be exploited by remote attackers to leak sensitive information such as session IDs.
Are there any known workarounds for CVE-2007-3382?
There are no specific workarounds for CVE-2007-3382 other than upgrading to secure versions of Apache Tomcat.
- collector/github-advisory-latest
- alias/GHSA-qff8-g48j-pwpw
- alias/CVE-2007-3382
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/first-publish-date
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- collector/nvd-historical
- package-manager/maven
- vendor/apache
- canonical/tomcat
- version/tomcat/3.3
- version/tomcat/3.3.1
- version/tomcat/3.3.1a
- version/tomcat/3.3.2
- version/tomcat/4.1.0
- version/tomcat/4.1.1
- version/tomcat/4.1.2
- version/tomcat/4.1.3
- version/tomcat/4.1.3-beta
- version/tomcat/4.1.9-beta
- version/tomcat/4.1.10
- version/tomcat/4.1.15
- version/tomcat/4.1.24
- version/tomcat/4.1.28
- version/tomcat/4.1.31
- version/tomcat/4.1.36
- version/tomcat/5.0.0
- version/tomcat/5.0.1
- version/tomcat/5.0.2
- version/tomcat/5.0.3
- version/tomcat/5.0.4
- version/tomcat/5.0.5
- version/tomcat/5.0.6
- version/tomcat/5.0.7
- version/tomcat/5.0.8
- version/tomcat/5.0.9
- version/tomcat/5.0.10
- version/tomcat/5.0.11
- version/tomcat/5.0.12
- version/tomcat/5.0.13
- version/tomcat/5.0.14
- version/tomcat/5.0.15
- version/tomcat/5.0.16
- version/tomcat/5.0.17
- version/tomcat/5.0.18
- version/tomcat/5.0.19
- version/tomcat/5.0.21
- version/tomcat/5.0.22
- version/tomcat/5.0.23
- version/tomcat/5.0.24
- version/tomcat/5.0.25
- version/tomcat/5.0.26
- version/tomcat/5.0.27
- version/tomcat/5.0.28
- version/tomcat/5.0.29
- version/tomcat/5.0.30
- version/tomcat/5.5.0
- version/tomcat/5.5.1
- version/tomcat/5.5.2
- version/tomcat/5.5.3
- version/tomcat/5.5.4
- version/tomcat/5.5.5
- version/tomcat/5.5.6
- version/tomcat/5.5.7
- version/tomcat/5.5.8
- version/tomcat/5.5.9
- version/tomcat/5.5.10
- version/tomcat/5.5.11
- version/tomcat/5.5.12
- version/tomcat/5.5.13
- version/tomcat/5.5.14
- version/tomcat/5.5.15
- version/tomcat/5.5.16
- version/tomcat/5.5.17
- version/tomcat/5.5.18
- version/tomcat/5.5.19
- version/tomcat/5.5.20
- version/tomcat/5.5.21
- version/tomcat/5.5.22
- version/tomcat/5.5.23
- version/tomcat/5.5.24
- version/tomcat/6.0.0
- version/tomcat/6.0.1
- version/tomcat/6.0.2
- version/tomcat/6.0.3
- version/tomcat/6.0.4
- version/tomcat/6.0.5
- version/tomcat/6.0.6
- version/tomcat/6.0.7
- version/tomcat/6.0.8
- version/tomcat/6.0.9
- version/tomcat/6.0.10
- version/tomcat/6.0.11
- version/tomcat/6.0.12
- version/tomcat/6.0.13