Bug 2180856 (CVE-2023-28708) - CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
Summary: CVE-2023-28708 tomcat: not including the secure attribute causes information ...
Keywords:
Status: NEW
Alias: CVE-2023-28708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2181443 2181448 2181455 2181459 2181461 2181441 2181442 2181447 2181449 2181450 2181451 2181452 2181453 2181454 2181456 2181457 2181458 2181460 2182286
Blocks: 2180858
TreeView+ depends on / blocked
 
Reported: 2023-03-22 12:23 UTC by Sandipan Roy
Modified: 2023-08-07 05:59 UTC (History)
9 users (show)

Fixed In Version: tomcat 8.5.86, tomcat 9.0.72, tomcat 10.1.6, tomcat 11.0.0-M3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-03-22 12:23:03 UTC 
Apache Tomcat information disclosure CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Affects: 8.5.0 to 8.5.85

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.86
https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
Comment 1 TEJ RATHI 2023-03-24 06:29:48 UTC 
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M2
Apache Tomcat 10.1.0-M1 to 10.1.5
Apache Tomcat 9.0.0-M1 to 9.0.71
Apache Tomcat 8.5.0 to 8.5.85

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Comment 2 Sandipan Roy 2023-03-24 06:32:06 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-8 [bug 2181441]
Affects: fedora-36 [bug 2181442]
Affects: fedora-37 [bug 2181443]
Note You need to log in before you can comment on or make changes to this bug.