CVE-2023-28708 (Medium) detected in tomcat-embed-core-9.0.27.jar #610
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-28708 - Medium Severity Vulnerability
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /20201127105057_JYADOJ/downloadResource_XKWWQX/20201127105927/tomcat-embed-core-9.0.27.jar
Dependency Hierarchy:
Found in HEAD commit: 26994796809a3a8687a975e3361495d457afe47c
Found in base branch: master
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Publish Date: 2023-03-22
URL: CVE-2023-28708
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Release Date: 2023-03-22
Fix Resolution: 9.0.72
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: