PT-2023-21918 · Apache+9 · Apache Tomcat+9
Mark Thomas
·
Published
2023-02-24
·
Updated
2026-05-18
·
CVE-2023-28708
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 11.0.0-M1 through 11.0.0-M2
Apache Tomcat versions 10.1.0-M1 through 10.1.5
Apache Tomcat versions 9.0.0-M1 through 9.0.71
Apache Tomcat versions 8.5.0 through 8.5.85
Description
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Recommendations
For Apache Tomcat versions 11.0.0-M1 through 11.0.0-M2, update to a version that includes the fix for this issue.
For Apache Tomcat versions 10.1.0-M1 through 10.1.5, update to a version that includes the fix for this issue.
For Apache Tomcat versions 9.0.0-M1 through 9.0.71, update to a version that includes the fix for this issue.
For Apache Tomcat versions 8.5.0 through 8.5.85, update to a version that includes the fix for this issue.
As a temporary workaround, consider disabling the RemoteIpFilter until a patch is available.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Apache Tomcat
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Suse
Ubuntu