Apache Tomcat does not properly handle certain characters in a cookie value, which could possibly lead to the leak of sensitive information such as session IDs . The updated packages have been patched to prevent this issue.