Published: 26/11/2010 Updated: 10/10/2018

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote malicious users to hijack a session via script access to a cookie.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache tomcat 6.0.15
apache tomcat 6.0
apache tomcat 6.0.28
apache tomcat 6.0.17
apache tomcat 6.0.18
apache tomcat 6.0.2
apache tomcat 6.0.26
apache tomcat 6.0.19
apache tomcat 6.0.16
apache tomcat 6.0.14
apache tomcat 6.0.6
apache tomcat 6.0.1
apache tomcat 6.0.0
apache tomcat 6.0.13
apache tomcat 6.0.24
apache tomcat 6.0.9
apache tomcat 6.0.29
apache tomcat 6.0.4
apache tomcat 6.0.3
apache tomcat 6.0.10
apache tomcat 6.0.20
apache tomcat 6.0.7
apache tomcat 6.0.8
apache tomcat 6.0.5
apache tomcat 6.0.27
apache tomcat 6.0.12
apache tomcat 6.0.11

Debian Bug report logs - #608286 CVE-2010-4312: does not use HTTPOnly for session cookies by default Package: tomcat6; Maintainer for tomcat6 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Giuseppe Iuculano <iuculano@debianorg> Date: Wed, 29 Dec 2010 17:33:02 UTC Severity: mi ...

CWE-16 http://www.securityfocus.com/archive/1/514866/100/0/threaded https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608286 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2010-4312

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect