Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
**NOTE:** Support for Apache Tomcat 7.x ended on 31st March 2021. Future 7.x releases containing security fixes are unlikely and users should consider upgrading to later, non-vulnerable versions of the project.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

Related links:

• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28708

• https://bz.apache.org/bugzilla/show_bug.cgi?id=66471

• https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

• https://tomcat.apache.org/security-10.html

• https://tomcat.apache.org/security-11.html

• https://tomcat.apache.org/security-8.html

• https://tomcat.apache.org/security-9.html