CVE-2010-4312
Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header
EPSS 1.7%
Description
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
How to fix CVE-2010-4312
To remediate CVE-2010-4312, upgrade the affected package to a fixed version below.
- Maven/org.apache.tomcat:tomcat—upgrade to 6.0.35 or later
Is CVE-2010-4312 being exploited?
Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 6.0.0, < 6.0.35