Fixed in Apache Tomcat 11.0.0-M3

Important: Apache Tomcat information disclosure CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

This was fixed with commit c64d496d.

66471 was reported publicly on 8 February 2023. The security implications were identified by the Tomcat Security team on 9 February 2023. The issue was made public on 22 March 2023.

Affects: 11.0.0-M1 to 11.0.0-M2

Note: The issue below was fixed in Apache Tomcat 11.0.0-M2 but the release vote for the 11.0.0-M2 release candidate did not pass. Therefore, although users must download 11.0.0-M3 to obtain a version that includes a fix for these issues, version 11.0.0-M2 is not included in the list of affected versions.

Important: Apache Tomcat denial of service CVE-2023-24998

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

This was fixed with commit 063e2e81.

This issue was reported to the Apache Tomcat Security team on 11 December 2022. The issue was made public on 20 February 2023.

Affects: 11.0.0-M1