Redhat: >> Jboss Community Application Server >> 7.1.1 Security Vulnerabilities
An issue exists in the property replacements feature in any descriptor in JBoxx AS 7.1.1 ignores java security policies
CVSS Score
3.3
EPSS Score
0.001
Published
2019-12-06
The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.
CVSS Score
4.3
EPSS Score
0.006
Published
2013-10-28