CVE-2023-28708
Apache Tomcat vulnerable to Unprotected Transport of Credentials
4.3
MEDIUM
CVSS 3.1
EPSS 0.11%
Description
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.
How to fix CVE-2023-28708
To remediate CVE-2023-28708, upgrade the affected package to a fixed version below.
- —upgrade to 8.5.86 or later
- —upgrade to 10.1.6-1 or later
- —upgrade to 9.0.43-2~deb11u6 or later
- —upgrade to 11.0.0-M3 or later
Is CVE-2023-28708 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 8.5.0, < 8.5.86, >= 9.0.0, < 9.0.72, >= 10.1.0, < 10.1.6
- from 0, < 10.1.6-1
- from 0, < 9.0.43-2~deb11u6
- >= 11.0.0-M1, < 11.0.0-M3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |