Vulnerabilities > CVE-2010-4312 - Configuration vulnerability in Apache Tomcat

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
apache
CWE-16
nessus

Summary

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201206-24.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact : The vulnerabilities allow an attacker to cause a Denial of Service, to hijack a session, to bypass authentication, to inject webscript, to enumerate valid usernames, to read, modify and overwrite arbitrary files, to bypass intended access restrictions, to delete work-directory files, to discover the server’s hostname or IP, to bypass read permissions for files or HTTP headers, to read or write files outside of the intended working directory, and to obtain sensitive information by reading a log file. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id59677
    published2012-06-25
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59677
    titleGLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities
  • NASL familyWeb Servers
    NASL idTOMCAT_6_0_30.NASL
    descriptionAccording to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is prior to 6.0.30. It is, therefore, affected by multiple vulnerabilities : - An error in the access restriction on a
    last seen2020-03-18
    modified2011-02-14
    plugin id51975
    published2011-02-14
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51975
    titleApache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities