CVE-2023-28708

Published: Mar 22, 2023

Modified: Nov 4, 2025

PUBLISHED

Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

Vendor	Product	Versions
Apache Software Foundation	Apache Tomcat	affected `11.0.0-M1 - <= 11.0.0-M2` affected `10.1.0-M1 - <= 10.1.5` affected `9.0.0-M1 - <= 9.0.71` affected `8.5.0 - <= 8.5.85` unknown `3 - < 8.5.0` +1 more versions

Weaknesses (CWE)

CWE-523

References

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-28708

Description

Affected Products

Weaknesses (CWE)

References