Information Exposure Affecting org.jboss.as:jboss-as-web Open this link in a new tab package, versions [,7.2.0.Final)


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGJBOSSAS-31197

  • published

    17 Jun 2014

  • disclosed

    28 Oct 2013

  • credit

    Unknown

Overview

org.jboss.as:jboss-as-web The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.

References