Information Exposure Affecting org.jboss.as:jboss-as-web Open this link in a new tab package, versions [,7.2.0.Final)
Attack Complexity
Low
User Interaction
Required
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGJBOSSAS-31197
-
published
17 Jun 2014
-
disclosed
28 Oct 2013
-
credit
Unknown
Introduced: 28 Oct 2013
CVE-2012-4529 Open this link in a new tabOverview
org.jboss.as:jboss-as-web
The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.