Lucene search

K
cvelistApacheCVELIST:CVE-2023-28708
HistoryMar 22, 2023 - 10:10 a.m.

CVE-2023-28708 Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations

2023-03-2210:10:58
CWE-523
apache
www.cve.org

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.9%

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "11.0.0-M2",
        "status": "affected",
        "version": "11.0.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.1.5",
        "status": "affected",
        "version": "10.1.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.0.71",
        "status": "affected",
        "version": "9.0.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.5.85",
        "status": "affected",
        "version": "8.5.0",
        "versionType": "semver"
      }
    ]
  }
]