CVE-2023-28708

MEDIUM Year: 2023
CVSS v3 Score
4.3
Medium
Weakness Type
CWE-523
View all →

Vulnerability Description

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Related Vulnerabilities

CVE-2021-32003

MEDIUM
CVSS:5.5(Medium)

Unprotected Transport of Credentials vulnerability in SiteManager provisioning service allows local attacker to capture credentials if the service is used after provisioning. This issue affects: Secom...

CWE-5232021

CVE-2020-25175

CRITICAL
CVSS:9.8(Critical)

GE Healthcare Imaging and Ultrasound Products may allow specific credentials to be exposed during transport over the network.

CWE-5232020

CVE-2017-16731

HIGH
CVSS:8.8(High)

An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select). A vulnerability exists in the authentica...

CWE-5232017

CVE-2021-38460

HIGH
CVSS:7.5(High)

A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs o...

CWE-5232021

CVE-2022-31805

HIGH
CVSS:7.5(High)

In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.

CWE-5232022

CVE-2023-22862

HIGH
CVSS:7.5(High)

IBM Aspera Connect 4.2.5 and IBM Aspera Cargo 4.2.5 transmits authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

CWE-5232023