CVE-2023-28708

NameCVE-2023-28708
DescriptionWhen using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3384-1, DSA-5381-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat10 (PTS)bookworm, bookworm (security)10.1.34-0+deb12u2fixed
forky, sid, trixie10.1.40-1fixed
tomcat9 (PTS)bullseye9.0.43-2~deb11u10fixed
bullseye (security)9.0.107-0+deb11u1fixed
bookworm9.0.70-2fixed
forky, sid, trixie9.0.95-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat10source(unstable)10.1.6-1
tomcat8source(unstable)(unfixed)
tomcat9sourcebuster9.0.31-1~deb10u8DLA-3384-1
tomcat9sourcebullseye9.0.43-2~deb11u6DSA-5381-1
tomcat9source(unstable)9.0.70-2

Notes

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b (10.1.6)
https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab (9.0.72)
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510 (8.5.86)
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version

Search for package or bug name: Reporting problems