CVE-2023-28708

Summary

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Older, EOL versions may also be affected.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat11.0.0-M1 <= 11.0.0-M2affected
Apache Software FoundationApache Tomcat10.1.0-M1 <= 10.1.5affected
Apache Software FoundationApache Tomcat9.0.0-M1 <= 9.0.71affected
Apache Software FoundationApache Tomcat8.5.0 <= 8.5.85affected
Apache Software FoundationApache Tomcat3 < 8.5.0unknown
Apache Software FoundationApache Tomcat10.0.0-M1 <= 10.0.27unknown

Weaknesses

  • CWE-523: CWE-523 Unprotected Transport of Credentials

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References