CVE-2010-4312

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

Published Bycve@mitre.org

Published DateNov 26, 2010, 20:00

Affected Versions(1)

org.apache.tomcat:tomcat(Maven)

Introduced6.0.0

Fixed6.0.35

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tomcat:tomcat(Maven)	6.0.0	6.0.35	N/A

Weakness Type (CWE):CWE-16

CVSS Metrics

Base Score

6.4

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

http://www.securityfocus.com/archive/1/514866/100/0/threaded

Weakness Type (CWE):CWE-16

CVSS Metrics

Base Score

6.4

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

PARTIAL