| Name | CVE-2023-28708 |
| Description | When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3384-1, DSA-5381-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| tomcat10 (PTS) | bookworm, bookworm (security) | 10.1.34-0+deb12u2 | fixed |
| forky, sid, trixie | 10.1.40-1 | fixed | |
| tomcat9 (PTS) | bullseye | 9.0.43-2~deb11u10 | fixed |
| bullseye (security) | 9.0.107-0+deb11u1 | fixed | |
| bookworm | 9.0.70-2 | fixed | |
| forky, sid, trixie | 9.0.95-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat10 | source | (unstable) | 10.1.6-1 | |||
| tomcat8 | source | (unstable) | (unfixed) | |||
| tomcat9 | source | buster | 9.0.31-1~deb10u8 | DLA-3384-1 | ||
| tomcat9 | source | bullseye | 9.0.43-2~deb11u6 | DSA-5381-1 | ||
| tomcat9 | source | (unstable) | 9.0.70-2 |
https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b (10.1.6)
https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab (9.0.72)
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510 (8.5.86)
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version