Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations
CVE-2023-28708

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 22 March 2023

Summary

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.0-M2

Apache Tomcat 10.1.0-M1 <= 10.1.5

Apache Tomcat 9.0.0-M1 <= 9.0.71

References

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwd...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 22, 2023
Vulnerability Reserved
Mar 21, 2023