{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28708", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-03-21T17:26:28.837Z", "datePublished": "2023-03-22T10:10:58.956Z", "dateUpdated": "2025-08-07T10:57:11.912Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.0-M2", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.5", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.71", "status": "affected", "version": "9.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.85", "status": "affected", "version": "8.5.0", "versionType": "semver"}, {"lessThan": "8.5.0", "status": "unknown", "version": "3", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>\n<div>\n<p>When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not&nbsp;include the secure attribute. This could result in the user agent&nbsp;<span style=\"background-color: var(--wht);\">transmitting the session cookie over an insecure channel.<br><br>Older, EOL versions may also be affected.</span></p></div>\n</div>"}], "value": "When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not\u00a0include the secure attribute. This could result in the user agent\u00a0transmitting the session cookie over an insecure channel.\n\nOlder, EOL versions may also be affected."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-523", "description": "CWE-523 Unprotected Transport of Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-08-07T10:57:11.912Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67"}], "source": {"defect": ["66474"], "discovery": "UNKNOWN"}, "title": "Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:43:23.678Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-13T14:33:37.066034Z", "id": "CVE-2023-28708", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:36:47.576Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:43:23.678Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-28708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-13T14:33:37.066034Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:33:32.382Z"}}], "cna": {"title": "Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations", "source": {"defect": ["66474"], "discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.0-M2"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.5"}, {"status": "affected", "version": "9.0.0-M1", "versionType": "semver", "lessThanOrEqual": "9.0.71"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.85"}, {"status": "unknown", "version": "3", "lessThan": "8.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not\u00a0include the secure attribute. This could result in the user agent\u00a0transmitting the session cookie over an insecure channel.\n\nOlder, EOL versions may also be affected.", "supportingMedia": [{"type": "text/html", "value": "<div>\n<div>\n<p>When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not&nbsp;include the secure attribute. This could result in the user agent&nbsp;<span style=\"background-color: var(--wht);\">transmitting the session cookie over an insecure channel.<br><br>Older, EOL versions may also be affected.</span></p></div>\n</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-523", "description": "CWE-523 Unprotected Transport of Credentials"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-08-07T10:57:11.912Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28708", "state": "PUBLISHED", "dateUpdated": "2025-08-07T10:57:11.912Z", "dateReserved": "2023-03-21T17:26:28.837Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-03-22T10:10:58.956Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5B9F578-C5AF-47B9-8DCB-956FE1142895", "versionEndExcluding": "8.5.86", "versionStartIncluding": "8.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "F53E1703-7327-4B44-8641-9335B78714E3", "versionEndExcluding": "9.0.72", "versionStartExcluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "55049943-7BFB-4022-B790-84466E2E873F", "versionEndExcluding": "10.1.6", "versionStartExcluding": "10.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not\u00a0include the secure attribute. This could result in the user agent\u00a0transmitting the session cookie over an insecure channel.\n\nOlder, EOL versions may also be affected."}], "id": "CVE-2023-28708", "lastModified": "2025-08-07T11:15:26.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-03-22T11:15:10.623", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-523"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4910", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7", "package": "jws5-tomcat", "product_name": "JWS 5.7.4 release", "release_date": "2023-09-04T00:00:00Z"}, {"advisory": "RHSA-2023:7065", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "tomcat-1:9.0.62-27.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6570", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "tomcat-1:9.0.62-37.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:4909", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package": "jws5-tomcat-0:9.0.62-15.redhat_00013.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date": "2023-09-04T00:00:00Z"}, {"advisory": "RHSA-2023:4909", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package": "jws5-tomcat-0:9.0.62-15.redhat_00013.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date": "2023-09-04T00:00:00Z"}, {"advisory": "RHSA-2023:4909", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package": "jws5-tomcat-0:9.0.62-15.redhat_00013.1.el9jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date": "2023-09-04T00:00:00Z"}], "bugzilla": {"description": "tomcat: not including the secure attribute causes information disclosure", "id": "2180856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180856"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not\u00a0include the secure attribute. This could result in the user agent\u00a0transmitting the session cookie over an insecure channel."], "mitigation": {"lang": "en:us", "value": "For possible impact and workaround, please refer to: https://access.redhat.com/solutions/7004796"}, "name": "CVE-2023-28708", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Will not fix", "package_name": "tomcat7", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Will not fix", "package_name": "tomcat8", "product_name": "Red Hat JBoss Web Server 3"}], "public_date": "2023-03-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-28708\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-28708\nhttps://bz.apache.org/bugzilla/show_bug.cgi?id=66471\nhttps://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67"], "statement": "CVE-2023-28708 only potentially impacts a Tomcat configuration using a RemoteIpFilter behind a proxy or loadbalancer that sets an X-Forwarded-Proto request header with a value of https. If you do not use RemoteIpFilter in such a configuration, then the vulnerability would not have any impact on you\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", "threat_severity": "Moderate"}