CVE-2012-4529 : The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mo

The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.

Published 2013-10-28 21:55:05

Updated 2013-10-30 14:49:45

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2012-4529

Probability of exploitation activity in the next 30 days: 0.28%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-4529

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

References for CVE-2012-4529

http://rhn.redhat.com/errata/RHSA-2013-0834.html

RHSA-2013:0834 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-1437.html

Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://issues.jboss.org/browse/JBWEB-249

[JBWEB-249] Session Id is appended as URL path parameter even if disabled - JBoss Issue Tracker
http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request/

Session Id is appended as URL path parameter in very first request | OCPsoft
http://rhn.redhat.com/errata/RHSA-2013-0833.html

RHSA-2013:0833 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0839.html

RHSA-2013:0839 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2012-4529

Redhat » Jboss Enterprise Application Platform » Version: 6.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server
Versions up to, including, (<=) 7.1.1
cpe:2.3:a:redhat:jboss_community_application_server:*:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 5.0.0
cpe:2.3:a:redhat:jboss_community_application_server:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 6.0.0
cpe:2.3:a:redhat:jboss_community_application_server:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 6.1.0
cpe:2.3:a:redhat:jboss_community_application_server:6.1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 7.0.0
cpe:2.3:a:redhat:jboss_community_application_server:7.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 5.1.0
cpe:2.3:a:redhat:jboss_community_application_server:5.1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 5.0.1
cpe:2.3:a:redhat:jboss_community_application_server:5.0.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 7.0.1
cpe:2.3:a:redhat:jboss_community_application_server:7.0.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 7.1.0
cpe:2.3:a:redhat:jboss_community_application_server:7.1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Community Application Server » Version: 7.0.2
cpe:2.3:a:redhat:jboss_community_application_server:7.0.2:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-4529

Exploit prediction scoring system (EPSS) score for CVE-2012-4529

CVSS scores for CVE-2012-4529

References for CVE-2012-4529

Products affected by CVE-2012-4529