{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-11-22T00:00:00", "descriptions": [{"lang": "en", "value": "The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-10T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20101122 [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/514866/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-4312", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20101122 [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/514866/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T03:43:14.325Z"}, "title": "CVE Program Container", "references": [{"name": "20101122 [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/514866/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-4312", "datePublished": "2010-11-26T19:00:00", "dateReserved": "2010-11-26T00:00:00", "dateUpdated": "2024-08-07T03:43:14.325Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*", "matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*", "matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*", "matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*", "matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*", "matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*", "matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*", "matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*", "matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*", "matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*", "matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*", "matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie."}, {"lang": "es", "value": "La configuraci\u00f3n por defecto de Apache Tomcat v6.x no incluye la bandera HTTPOnly en un encabezado Set-Cookie, lo cual hace m\u00e1s f\u00e1cil para los atacantes remotos secuestrar una sesi\u00f3n a traves del acceso mediante secuencias de comandos a una cookie."}], "id": "CVE-2010-4312", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-11-26T20:00:05.000", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/514866/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/514866/100/0/threaded"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-16"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "tomcat6: does not use HTTPOnly for session cookies by default", "id": "658267", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=658267"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "draft"}, "details": ["The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie."], "name": "CVE-2010-4312", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "fix_state": "Affected", "package_name": "tomcat6", "product_name": "Red Hat JBoss Enterprise Web Server 1 for RHEL 4 AS"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "fix_state": "Affected", "package_name": "tomcat6", "product_name": "Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server"}], "public_date": "2010-11-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2010-4312\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-4312"], "statement": "This issue is only a defense-in-depth measure, and we currently have no plans to fix this flaw in Red Hat Enterprise Linux 6. The use of the useHttpOnly setting in Tomcat only prohibits client scripts from accessing cookies when it is correctly implemented in the user's web browser. The use of httpOnly does not guarantee XSS protection; it is only a defense-in-depth measure. Additionally, implementing this as a default setting could have negative impact on existing expected behavior in client scripts. As a result, the Red Hat Security Response Team has determined that this issue is not a security flaw, but a proactive hardening measure and the risk associated with implementing it by default and possibly breaking expected behaviour is greater than any benefits it provides. Users who wish to take advantage of this hardening measure can enable useHttpOnly by adding '<Context useHttpOnly=\"true\">' to the default context.xml or a specific web-application context.", "threat_severity": "Moderate"}