The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.
Exploitability
AV:NAC:MAu:NImpact
C:PI:NA:N4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N