5

CVSS Score

Basic Information

CVE ID

CVE-2007-5333

GHSA ID

GHSA-cww4-vj5r-rx57

EPSS Score

0.99122%

CWE

CWE-200

Published

5/1/2022

Updated

2/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2007-5333

CVE-2007-5333: Exposure of Sensitive Information in Apache Tomcat

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.

(GitHub Advisory)

5

CVSS Score

Basic Information

CVE ID

CVE-2007-5333

GHSA ID

GHSA-cww4-vj5r-rx57

EPSS Score

0.99122%

CWE

CWE-200

Published

5/1/2022

Updated

2/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 6.0.0, < 6.0.15	6.0.15
org.apache.tomcat:tomcat	maven	>= 5.5.0, < 5.5.25	5.5.26
org.apache.tomcat:tomcat	maven	>= 4.1.0, < 4.1.36	4.1.37

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of specific characters in cookie values during parsing. The functions responsible for parsing cookies (e.g., processCookieHeader and parseCookieHeader) are directly implicated because the CVE description highlights issues with double quotes and %5C sequences. These functions likely failed to properly escape or validate() these characters, leading to information disclosure. The confidence is high because the Tomcat security team explicitly linked this CVE to cookie parsing logic, and historical fixes for similar CVEs (e.g., CVE-2007-3385) targeted these components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Tom**t *.*.* t*rou** *.*.**, *.*.* t*rou** *.*.**, *n* *.*.* t*rou** *.*.** *o*s not prop*rly **n*l* (*) *ou*l* quot* (") ***r**t*rs or (*) %** (*n*o*** ***ksl*s*) s*qu*n**s in * *ooki* v*lu*, w*i** mi**t **us* s*nsitiv* in*orm*tion su** *s s*

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* sp**i*i* ***r**t*rs in *ooki* v*lu*s *urin* p*rsin*. T** *un*tions r*sponsi*l* *or p*rsin* *ooki*s (*.*., `pro**ss*ooki******r` *n* `p*rs**ooki******r`) *r* *ir**tly impli**t** ****us* t** *V* **s*rip

5

Basic Information

Concerned about an active attack path?

CVE-2007-5333: Exposure of Sensitive Information in Apache Tomcat

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI