CVE-2010-4312

Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header in maven/org.apache.tomcat/tomcat

Identifiers

GHSA-pvjh-7h8q-q56r, CVE-2010-4312

Package Slug

maven/org.apache.tomcat/tomcat

Vulnerability

Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header

Description

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

Affected Versions

All versions starting from 6.0.0 before 6.0.35

Solution

Upgrade to version 6.0.35 or above.

Last Modified

2024-02-09

source