Miggo Logo

CVE-2007-5333: Exposure of Sensitive Information in Apache Tomcat

5

CVSS Score

Basic Information

EPSS Score
0.99122%
Published
5/1/2022
Updated
2/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven>= 6.0.0, < 6.0.156.0.15
org.apache.tomcat:tomcatmaven>= 5.5.0, < 5.5.255.5.26
org.apache.tomcat:tomcatmaven>= 4.1.0, < 4.1.364.1.37

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of specific characters in cookie values during parsing. The functions responsible for parsing cookies (e.g., processCookieHeader and parseCookieHeader) are directly implicated because the CVE description highlights issues with double quotes and %5C sequences. These functions likely failed to properly escape or validate() these characters, leading to information disclosure. The confidence is high because the Tomcat security team explicitly linked this CVE to cookie parsing logic, and historical fixes for similar CVEs (e.g., CVE-2007-3385) targeted these components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Tom**t *.*.* t*rou** *.*.**, *.*.* t*rou** *.*.**, *n* *.*.* t*rou** *.*.** *o*s not prop*rly **n*l* (*) *ou*l* quot* (") ***r**t*rs or (*) %** (*n*o*** ***ksl*s*) s*qu*n**s in * *ooki* v*lu*, w*i** mi**t **us* s*nsitiv* in*orm*tion su** *s s*

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* sp**i*i* ***r**t*rs in *ooki* v*lu*s *urin* p*rsin*. T** *un*tions r*sponsi*l* *or p*rsin* *ooki*s (*.*., `pro**ss*ooki******r` *n* `p*rs**ooki******r`) *r* *ir**tly impli**t** ****us* t** *V* **s*rip