DEBIAN-CVE-2023-28708

Advisory lineage Upstream: 1 Downstream: 2

Upstream

CVE-2023-28708

Downstream

DLA-3384-1 DSA-5381-1

Published: 22 Mar 2023, 11:15

Last modified:28 Apr 2026, 20:26

Vulnerability Summary

Overall Risk (default)

low

17/100

CVSS Score

4.3 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Mar 2023, 11:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:26

Last Modified

Vulnerability information updated

Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

CVSS Metrics

v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected Systems

debian•tomcat10
< 10.1.6-1 | < 10.1.6-1 | < 10.1.6-1
debian•tomcat9
< 9.0.43-2~deb11u6 | < 9.0.70-2 | < 9.0.70-2 | < 9.0.70-2

References (1)

https://security-tracker.debian.org/tracker/CVE-2023-28708