[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 22 Mar 2023 10:12:50 +0000
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-28708: Apache Tomcat: JSESSIONID Cookie missing secure
attribute in some configurations
CVE-2023-28708 Apache Tomcat - Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M2
Apache Tomcat 10.1.0-M1 to 10.1.5
Apache Tomcat 9.0.0-M1 to 9.0.71
Apache Tomcat 8.5.0 to 8.5.85
Description:
When using the RemoteIpFilter with requests received from a reverse
proxy via HTTP that include the X-Forwarded-Proto header set to https,
session cookies created by Tomcat did not include the secure attribute.
This could result in the user agent transmitting the session cookie over
an insecure channel.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later
- Upgrade to Apache Tomcat 10.1.6 or later
- Upgrade to Apache Tomcat 9.0.72 or later
- Upgrade to Apache Tomcat 8.5.86 or later
History:
2023-03-22 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
