CVE-2008-0128 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2008-0128 Interim 1 3 2021-06-09T08:43:40Z current 2021-05-30T12:41:27Z 2021-06-09T08:43:40Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2008-0128 The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html E-Mail link for SUSE-SR:2008:005 https://www.suse.com/support/kb/doc/?id=7006398 E-Mail link for TID7006398 https://www.suse.com/support/security/rating/ SUSE Security Ratings The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. CVE-2008-0128 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N