Vulnerabilities > CVE-2010-4312 - Configuration vulnerability in Apache Tomcat

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

apache

CWE-16

nessus

NVD

Published: 2010-11-26

Updated: 2018-10-10

Summary

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Tomcat 6.0.6 Apache Tomcat 6.0.11 Apache Tomcat 6.0.7 Apache Tomcat 6.0.4 Apache Tomcat 6.0.15 Apache Tomcat 6.0.20 Apache Tomcat 6.0.10 Apache Tomcat 6.0.29 Apache Tomcat 6.0.3 Apache Tomcat 6.0.9 Apache Tomcat 6.0.24 Apache Tomcat 6.0.17 Apache Tomcat 6.0 Apache Tomcat 6.0.28 Apache Tomcat 6.0.0 Apache Tomcat 6.0.14 Apache Tomcat 6.0.1 Apache Tomcat 6.0.12 Apache Tomcat 6.0.18 Apache Tomcat 6.0.5 Apache Tomcat 6.0.2 Apache Tomcat 6.0.13 Apache Tomcat 6.0.26 Apache Tomcat 6.0.19 Apache Tomcat 6.0.27 Apache Tomcat 6.0.16 Apache Tomcat 6.0.8	27

Common Weakness Enumeration (CWE)

CWE-16 - Configuration

Nessus

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201206-24.NASL
description	The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact : The vulnerabilities allow an attacker to cause a Denial of Service, to hijack a session, to bypass authentication, to inject webscript, to enumerate valid usernames, to read, modify and overwrite arbitrary files, to bypass intended access restrictions, to delete work-directory files, to discover the server’s hostname or IP, to bypass read permissions for files or HTTP headers, to read or write files outside of the intended working directory, and to obtain sensitive information by reading a log file. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	59677
published	2012-06-25
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59677
title	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities

NASL family	Web Servers
NASL id	TOMCAT_6_0_30.NASL
description	According to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is prior to 6.0.30. It is, therefore, affected by multiple vulnerabilities : - An error in the access restriction on a
last seen	2020-03-18
modified	2011-02-14
plugin id	51975
published	2011-02-14
reporter	This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/51975
title	Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities

References

http://www.securityfocus.com/archive/1/514866/100/0/threaded