CVE-2008-0128

N/A Unknown

Published: January 23, 2008 Modified: April 23, 2026

Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

Source: cve@mitre.org

http://issues.apache.org/bugzilla/show_bug.cgi?id=41217

Source: cve@mitre.org

Patch

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2008-0630.html

Source: cve@mitre.org

http://secunia.com/advisories/28549

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/28552

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/29242

Source: cve@mitre.org

http://secunia.com/advisories/31493

Source: cve@mitre.org

http://secunia.com/advisories/33668

Source: cve@mitre.org

http://security-tracker.debian.net/tracker/CVE-2008-0128

Source: cve@mitre.org

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

Source: cve@mitre.org

http://www.debian.org/security/2008/dsa-1468

Source: cve@mitre.org

http://www.redhat.com/support/errata/RHSA-2008-0261.html

Source: cve@mitre.org

http://www.securityfocus.com/archive/1/500396/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/archive/1/500412/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/bid/27365

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2008/0192

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2009/0233

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/39804

Source: cve@mitre.org

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Source: cve@mitre.org

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

Source: af854a3a-2127-422b-91ae-364da2661108

http://issues.apache.org/bugzilla/show_bug.cgi?id=41217

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2008-0630.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/28549

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/28552

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/29242

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/31493

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/33668

Source: af854a3a-2127-422b-91ae-364da2661108

http://security-tracker.debian.net/tracker/CVE-2008-0128

Source: af854a3a-2127-422b-91ae-364da2661108

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2008/dsa-1468

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.redhat.com/support/errata/RHSA-2008-0261.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/archive/1/500396/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/archive/1/500412/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/27365

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vupen.com/english/advisories/2008/0192

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vupen.com/english/advisories/2009/0233

Source: af854a3a-2127-422b-91ae-364da2661108

https://exchange.xforce.ibmcloud.com/vulnerabilities/39804

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

44 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

19.6%

97th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-16

Affected Vendors

apache

Related CVEs

CVE-2026-9677 N/A

CVE-2026-13245 6.1

CVE-2026-12404 5.3

CVE-2026-10820 N/A

CVE-2026-12415 9.8