CVE-2010-4312
Published: 26 November 2010
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
Notes
| Author | Note |
|---|---|
| kees | fixed going forward in Tomcat 7; really a configuration issue for sites. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
tomcat5 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
tomcat5.5 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
(end of life)
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
tomcat6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| karmic |
Ignored
(end of life)
|
|
| lucid |
Ignored
(end of life)
|
|
| maverick |
Ignored
(end of life)
|
|
| upstream |
Needs triage
|