CVE-2023-28708

CVE-2023-28708: Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations

Vendor Apache Software Foundation

Product Apache Tomcat

Weakness CWE-523

Published March 22, 2023

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

Key dates

Disclosure timeline

March 22, 2023 CVE published

November 4, 2025 Record updated

Identifiers

CVE CVE-2023-28708

CWE CWE-523

Affected versions

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 11.0.0-M1 and ≤ 11.0.0-M2

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 10.1.0-M1 and ≤ 10.1.5

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 9.0.0-M1 and ≤ 9.0.71

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 8.5.0 and ≤ 8.5.85