Description
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.
Remediation
References
https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
https://security.netapp.com/advisory/ntap-20230331-0012/
Related Vulnerabilities
CVE-2020-36518 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2021-43797 Vulnerability in maven package io.netty:netty-codec-http
CVE-2023-45311 Vulnerability in npm package fsevents
CVE-2023-37910 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-api
CVE-2023-26512 Vulnerability in maven package org.apache.eventmesh:eventmesh-connector-rabbitmq