Search for vulnerabilities
Vulnerability details: VCID-kdkb-2vcc-7ka1
Vulnerability ID VCID-kdkb-2vcc-7ka1
Aliases CVE-2023-28708
GHSA-2c9m-w27f-53rm
Summary When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-523 Unprotected Transport of Credentials
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28708.json
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2023-28708
cvssv3.1 4.3 https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
generic_textual MODERATE https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28708
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-2c9m-w27f-53rm
cvssv3.1 4.3 https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat
cvssv3.1 4.3 https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab
generic_textual MODERATE https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab
cvssv3.1 4.3 https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
generic_textual MODERATE https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
cvssv3.1 4.3 https://github.com/apache/tomcat/commit/c64d496dda1560b5df113be55fbfaefec349b50f
generic_textual MODERATE https://github.com/apache/tomcat/commit/c64d496dda1560b5df113be55fbfaefec349b50f
cvssv3.1 4.3 https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b
generic_textual MODERATE https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b
cvssv3.1 4.3 https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
generic_textual MODERATE https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
ssvc Track https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2023-28708
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-28708
cvssv3.1 4.3 https://tomcat.apache.org/security-10.html
generic_textual MODERATE https://tomcat.apache.org/security-10.html
cvssv3.1 4.3 https://tomcat.apache.org/security-11.html
generic_textual MODERATE https://tomcat.apache.org/security-11.html
cvssv3.1 4.3 https://tomcat.apache.org/security-8.html
generic_textual MODERATE https://tomcat.apache.org/security-8.html
cvssv3.1 4.3 https://tomcat.apache.org/security-9.html
generic_textual MODERATE https://tomcat.apache.org/security-9.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28708.json
https://api.first.org/data/v1/epss?cve=CVE-2023-28708
https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
https://github.com/apache/tomcat/commit/c64d496dda1560b5df113be55fbfaefec349b50f
https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b
https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
https://nvd.nist.gov/vuln/detail/CVE-2023-28708
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-11.html
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
2180856 https://bugzilla.redhat.com/show_bug.cgi?id=2180856
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*
CVE-2023-28708 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28708
GHSA-2c9m-w27f-53rm https://github.com/advisories/GHSA-2c9m-w27f-53rm
RHSA-2023:4909 https://access.redhat.com/errata/RHSA-2023:4909
RHSA-2023:4910 https://access.redhat.com/errata/RHSA-2023:4910
RHSA-2023:6570 https://access.redhat.com/errata/RHSA-2023:6570
RHSA-2023:7065 https://access.redhat.com/errata/RHSA-2023:7065
USN-7106-1 https://usn.ubuntu.com/7106-1/
USN-7562-1 https://usn.ubuntu.com/7562-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28708.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/c64d496dda1560b5df113be55fbfaefec349b50f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-13T14:33:37Z/ Found at https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28708
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://tomcat.apache.org/security-10.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://tomcat.apache.org/security-11.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://tomcat.apache.org/security-8.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://tomcat.apache.org/security-9.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.3555
EPSS Score 0.00145
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:03:16.648479+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-11.html 37.0.0