Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2010-4312

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

Related bugs and status

CVE-2010-4312 (Candidate) is related to these bugs:

Bug #1057111: Sync tomcat6 6.0.35-5 (universe) from Debian unstable (main)

Summary				In	Importance	Status
	1057111	Sync tomcat6 6.0.35-5 (universe) from Debian unstable (main)		tomcat6 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

BUGTRAQ: 20101122 [SECURITY] CV...