oss-sec mailing list archives
CVE-2023-28708: Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations
From: Mark Thomas <markt () apache org>
Date: Wed, 22 Mar 2023 10:12:50 +0000
CVE-2023-28708 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M2 Apache Tomcat 10.1.0-M1 to 10.1.5 Apache Tomcat 9.0.0-M1 to 9.0.71 Apache Tomcat 8.5.0 to 8.5.85 Description:When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later - Upgrade to Apache Tomcat 10.1.6 or later - Upgrade to Apache Tomcat 9.0.72 or later - Upgrade to Apache Tomcat 8.5.86 or later History: 2023-03-22 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
Current thread:
- CVE-2023-28708: Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations Mark Thomas (Mar 22)