Moderate severityNVD Advisory· Published Mar 22, 2023· Updated Nov 4, 2025
Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations
CVE-2023-28708
Description
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Older, EOL versions may also be affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M1, < 11.0.0-M3 | 11.0.0-M3 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.6 | 10.1.6 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0-M1, < 9.0.72 | 9.0.72 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, < 8.5.86 | 8.5.86 |
Affected products
37- osv-coords36 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcat-catalinapkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 8.5.0, < 8.5.86+ 35 more
- (no CPE)range: >= 8.5.0, < 8.5.86
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-15.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.36-150100.4.90.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.36-3.102.1
- (no CPE)range: < 9.0.36-3.102.1
- (no CPE)range: < 9.0.36-3.102.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-150100.4.90.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.36-3.102.1
- (no CPE)range: < 9.0.36-3.102.1
- (no CPE)range: < 9.0.36-150100.4.90.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.36-3.102.1
- (no CPE)range: < 9.0.36-3.102.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-2c9m-w27f-53rmghsaADVISORY
- lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-28708ghsaADVISORY
- bz.apache.org/bugzilla/show_bug.cgighsaWEB
- github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfabghsaWEB
- github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510ghsaWEB
- github.com/apache/tomcat/commit/c64d496dda1560b5df113be55fbfaefec349b50fghsaWEB
- github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5bghsaWEB
- security.netapp.com/advisory/ntap-20230331-0012ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
0No linked articles in our index yet.