CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Older, EOL versions may also be affected.

Published: Mar 22, 2023
Updated: Aug 8, 2025
CVE: CVE-2023-28708
GHSA: GHSA-2c9m-w27f-53rm
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWEs:

CWE-523

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
apache / tomcat	11.0.0-milestone1	11.0.0-milestone1.x
apache / tomcat	10.1.0.x	10.1.6
apache / tomcat	9.0.0.x	9.0.72
apache / tomcat	8.5.0	8.5.86
apache / tomcat	11.0.0-milestone2	11.0.0-milestone2.x
org.apache.tomcat / tomcat-catalina	11.0.0-M1	11.0.0-M3
org.apache.tomcat / tomcat-catalina	10.1.0-M1	10.1.6
org.apache.tomcat / tomcat-catalina	9.0.0-M1	9.0.72
org.apache.tomcat / tomcat-catalina	8.5.0	8.5.86

Vulnerability Database

CVE-2023-28708