CVE-2023-28708

Aliases:GHSA-2c9m-w27f-53rmBIT-tomcat-2023-28708
Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 22 Mar 2023, 10:10
Last modified:04 Nov 2025, 19:15

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.11% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

22 Mar 2023, 10:10
Published
Vulnerability first disclosed
04 Nov 2025, 19:15
Last Modified
Vulnerability information updated

Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

CVSS Metrics

  • v3.1MEDIUMScore: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.11% Percentile: 29%

Techniques & Countermeasures

  • CWE-523Unprotected Transport of Credentials

    Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Affected Systems

  • apache software foundationapache tomcat

    ≥ 11.0.0-M1, ≤ 11.0.0-M2 | ≥ 10.1.0-M1, ≤ 10.1.5 | ≥ 9.0.0-M1, ≤ 9.0.71 | ≥ 8.5.0, ≤ 8.5.85

  • UnknownTomcat

    ≥ 8.5.0, < 8.5.86 | > 9.0.0, < 9.0.72 | > 10.1.0, < 10.1.6 | 11.0.0:milestone1 | 11.0.0:milestone2

  • org.apache.tomcattomcat-catalina

    ≥ 11.0.0-M1, < 11.0.0-M3 | ≥ 10.1.0-M1, < 10.1.6 | ≥ 9.0.0-M1, < 9.0.72 | ≥ 8.5.0, < 8.5.86

References (14)