Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6p3e-4u8s-17ep
Vulnerability ID VCID-6p3e-4u8s-17ep
Aliases CVE-2007-3385
GHSA-6j8f-66vh-39mj
Summary Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
generic_textual MODERATE http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
generic_textual MODERATE http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
generic_textual MODERATE http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
epss 0.80997 https://api.first.org/data/v1/epss?cve=CVE-2007-3385
epss 0.81368 https://api.first.org/data/v1/epss?cve=CVE-2007-3385
epss 0.81368 https://api.first.org/data/v1/epss?cve=CVE-2007-3385
epss 0.81368 https://api.first.org/data/v1/epss?cve=CVE-2007-3385
epss 0.81368 https://api.first.org/data/v1/epss?cve=CVE-2007-3385
epss 0.81368 https://api.first.org/data/v1/epss?cve=CVE-2007-3385
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/35999
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-6j8f-66vh-39mj
generic_textual MODERATE https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2007-3385
generic_textual MODERATE https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9549
generic_textual MODERATE http://support.apple.com/kb/HT2163
generic_textual MODERATE http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
generic_textual MODERATE http://tomcat.apache.org/security-6.html
generic_textual MODERATE http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562
generic_textual MODERATE http://www.debian.org/security/2008/dsa-1447
generic_textual MODERATE http://www.debian.org/security/2008/dsa-1453
generic_textual MODERATE http://www.kb.cert.org/vuls/id/993544
generic_textual MODERATE http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
generic_textual MODERATE http://www.redhat.com/support/errata/RHSA-2007-0871.html
generic_textual MODERATE http://www.redhat.com/support/errata/RHSA-2007-0950.html
generic_textual MODERATE http://www.redhat.com/support/errata/RHSA-2008-0195.html
generic_textual MODERATE http://www.redhat.com/support/errata/RHSA-2008-0261.html
Reference id Reference type URL
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-3385.json
https://api.first.org/data/v1/epss?cve=CVE-2007-3385
https://exchange.xforce.ibmcloud.com/vulnerabilities/35999
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9549
http://support.apple.com/kb/HT2163
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
http://tomcat.apache.org/security-6.html
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562
http://www.debian.org/security/2008/dsa-1447
http://www.debian.org/security/2008/dsa-1453
http://www.kb.cert.org/vuls/id/993544
http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
http://www.redhat.com/support/errata/RHSA-2007-0871.html
http://www.redhat.com/support/errata/RHSA-2007-0950.html
http://www.redhat.com/support/errata/RHSA-2008-0195.html
http://www.redhat.com/support/errata/RHSA-2008-0261.html
247976 https://bugzilla.redhat.com/show_bug.cgi?id=247976
CVE-2007-3385 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
CVE-2007-3385 https://nvd.nist.gov/vuln/detail/CVE-2007-3385
GHSA-6j8f-66vh-39mj https://github.com/advisories/GHSA-6j8f-66vh-39mj
RHSA-2007:0871 https://access.redhat.com/errata/RHSA-2007:0871
RHSA-2007:0876 https://access.redhat.com/errata/RHSA-2007:0876
RHSA-2007:0950 https://access.redhat.com/errata/RHSA-2007:0950
RHSA-2007:1069 https://access.redhat.com/errata/RHSA-2007:1069
RHSA-2008:0195 https://access.redhat.com/errata/RHSA-2008:0195
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.99145
EPSS Score 0.80997
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:17.907692+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-6.html 38.0.0