GHSA-2c9m-w27f-53rm

Suggest an improvement
Source
https://github.com/advisories/GHSA-2c9m-w27f-53rm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-2c9m-w27f-53rm/GHSA-2c9m-w27f-53rm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2c9m-w27f-53rm
Aliases
Published
2023-03-22T12:30:16Z
Modified
2023-12-06T01:02:58.299623Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Tomcat vulnerable to Unprotected Transport of Credentials
Details

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Database specific
{
    "nvd_published_at": "2023-03-22T11:15:00Z",
    "github_reviewed_at": "2023-03-22T21:22:52Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-523"
    ]
}
References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-M1
Fixed
11.0.0-M3

Affected versions

11.*

11.0.0-M1

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.1.0-M1
Fixed
10.1.6

Affected versions

10.*

10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0-M1
Fixed
9.0.72

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70
9.0.71

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.86

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.8
8.5.9
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.16
8.5.19
8.5.20
8.5.21
8.5.23
8.5.24
8.5.27
8.5.28
8.5.29
8.5.30
8.5.31
8.5.32
8.5.33
8.5.34
8.5.35
8.5.37
8.5.38
8.5.39
8.5.40
8.5.41
8.5.42
8.5.43
8.5.45
8.5.46
8.5.47
8.5.49
8.5.50
8.5.51
8.5.53
8.5.54
8.5.55
8.5.56
8.5.57
8.5.58
8.5.59
8.5.60
8.5.61
8.5.63
8.5.64
8.5.65
8.5.66
8.5.68
8.5.69
8.5.70
8.5.71
8.5.72
8.5.73
8.5.75
8.5.76
8.5.77
8.5.78
8.5.79
8.5.81
8.5.82
8.5.83
8.5.84
8.5.85