CVE-2023-28708 (Medium) detected in tomcat-embed-core-9.0.68.jar #427
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
|
Thank you for opening an issue. If this issue is related to a bug, please follow the steps and provide the information outlined in the Troubleshooting Guide. Failure to follow these instructions may result in automatic closing of this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-28708 - Medium Severity Vulnerability
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in HEAD commit: 2cda59cc9ba15234ad74bb5750717c564aad3b18
Found in base branch: master
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Publish Date: 2023-03-22
URL: CVE-2023-28708
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Release Date: 2023-03-22
Fix Resolution: org.apache.tomcat:tomcat-catalina:8.5.86,9.0.72,10.1.6;org.apache.tomcat.embed/tomcat-embed-core:8.5.86,9.0.72,10.1.6
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: