VYPR
Moderate severityNVD Advisory· Published Mar 22, 2023· Updated Nov 4, 2025

Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations

CVE-2023-28708

Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Older, EOL versions may also be affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcat-catalinaMaven
>= 11.0.0-M1, < 11.0.0-M311.0.0-M3
org.apache.tomcat:tomcat-catalinaMaven
>= 10.1.0-M1, < 10.1.610.1.6
org.apache.tomcat:tomcat-catalinaMaven
>= 9.0.0-M1, < 9.0.729.0.72
org.apache.tomcat:tomcat-catalinaMaven
>= 8.5.0, < 8.5.868.5.86

Affected products

37

Patches

Vulnerability mechanics

References

13

News mentions

0

No linked articles in our index yet.