CVE-2010-4312

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

CVSS v2.0 6.4 MEDIUM

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:P

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/archive/1/514866/100/0/threaded
http://www.securityfocus.com/archive/1/514866/100/0/threaded

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat:6.0:::::::*
	cpe:2.3:a:apache:tomcat:6.0.0:::::::*
	cpe:2.3:a:apache:tomcat:6.0.1:::::::*
	cpe:2.3:a:apache:tomcat:6.0.2:::::::*
	cpe:2.3:a:apache:tomcat:6.0.3:::::::*
	cpe:2.3:a:apache:tomcat:6.0.4:::::::*
	cpe:2.3:a:apache:tomcat:6.0.5:::::::*
	cpe:2.3:a:apache:tomcat:6.0.6:::::::*
	cpe:2.3:a:apache:tomcat:6.0.7:::::::*
	cpe:2.3:a:apache:tomcat:6.0.8:::::::*
	cpe:2.3:a:apache:tomcat:6.0.9:::::::*
	cpe:2.3:a:apache:tomcat:6.0.10:::::::*
	cpe:2.3:a:apache:tomcat:6.0.11:::::::*
	cpe:2.3:a:apache:tomcat:6.0.12:::::::*
	cpe:2.3:a:apache:tomcat:6.0.13:::::::*
	cpe:2.3:a:apache:tomcat:6.0.14:::::::*
	cpe:2.3:a:apache:tomcat:6.0.15:::::::*
	cpe:2.3:a:apache:tomcat:6.0.16:::::::*
	cpe:2.3:a:apache:tomcat:6.0.17:::::::*
	cpe:2.3:a:apache:tomcat:6.0.18:::::::*
	cpe:2.3:a:apache:tomcat:6.0.19:::::::*
	cpe:2.3:a:apache:tomcat:6.0.20:::::::*
	cpe:2.3:a:apache:tomcat:6.0.24:::::::*
	cpe:2.3:a:apache:tomcat:6.0.26:::::::*
	cpe:2.3:a:apache:tomcat:6.0.27:::::::*
	cpe:2.3:a:apache:tomcat:6.0.28:::::::*
	cpe:2.3:a:apache:tomcat:6.0.29:::::::*

History

No history.

Information

Published : 2010-11-26 20:00

Updated : 2025-04-11 00:51

NVD link : CVE-2010-4312

Mitre link : CVE-2010-4312

CVE.ORG link : CVE-2010-4312

JSON object : View

Products Affected

apache

tomcat

CWE

CWE-16

Configuration

6.4 /10