CVE-2023-28708

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28708

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28708.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-28708

Aliases

Downstream

DEBIAN-CVE-2023-28708

DLA-3384-1

DSA-5381-1

OESA-2023-1247

RHSA-2023:4909

RHSA-2023:6570

RHSA-2023:7065

SUSE-SU-2023:1669-1

SUSE-SU-2023:1672-1

SUSE-SU-2023:1769-1

UBUNTU-CVE-2023-28708

USN-7106-1

USN-7562-1

openSUSE-SU-2024:12821-1

openSUSE-SU-2024:13441-1

Related

Published

2023-03-22T11:15:10Z

Modified

2025-10-14T15:32:31Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Older, EOL versions may also be affected.

References

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type: GIT
Repo: https://github.com/apache/tomcat
Events: Introduced

e37b977db6f47e4380ad67114a49e8568951c953

Fixed

0bf2722f4652674e321a0e22e72dca75d2ea8275