The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and previous versions, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote malicious users to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat jboss community application server 6.0.0 |
||
redhat jboss community application server 6.1.0 |
||
redhat jboss community application server 7.0.0 |
||
redhat jboss community application server 5.1.0 |
||
redhat jboss community application server 5.0.1 |
||
redhat jboss community application server 5.0.0 |
||
redhat jboss community application server 7.0.1 |
||
redhat jboss community application server 7.1.0 |
||
redhat jboss community application server 7.0.2 |
||
redhat jboss community application server |
||
redhat jboss enterprise application platform 6.0.0 |