WEB APPLICATION VULNERABILITIES Standard & Premium

Apache Tomcat Unprotected Transport of Credentials Vulnerability (CVE-2023-28708)

Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Remediation

References

Related Vulnerabilities

ownCloud Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-0204)

MySQL CVE-2019-2596 Vulnerability (CVE-2019-2596)

WordPress Plugin Catch Themes Demo Import Security Bypass (1.5)

phpMyAdmin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-1937)

Oracle Database Server CVE-2015-2599 Vulnerability (CVE-2015-2599)

Severity

Medium

Classification

CVE-2023-28708 CWE-523 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities