GSD-2023-28708 — Vulnetix

GSD-2023-28708 PUBLISHED CVSS 4.300000190734863 MEDIUM

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

Risk Scores

CVSS v3.1

4.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Apache Software Foundation	Apache Tomcat	11.0.0-M1, 10.1.0-M1, 9.0.0-M1

Timeline

Mar 9, 2015 CVE Published

References

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67 vendor-advisory
https://security.netapp.com/advisory/ntap-20230331-0012/ url

Open in Interactive Console →