The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-10-28T21:00:00Z

Updated: 2024-08-06T20:42:54.635Z

Reserved: 2012-08-21T00:00:00Z

Link: CVE-2012-4529

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2013-10-28T21:55:04.923

Modified: 2013-10-30T14:49:44.890

Link: CVE-2012-4529

cve-icon Redhat

Severity : Low

Publid Date: 2012-10-10T00:00:00Z

Links: CVE-2012-4529 - Bugzilla