{
  "threat_severity" : "Moderate",
  "public_date" : "2023-03-22T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: not including the secure attribute causes information disclosure",
    "id" : "2180856",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2180856"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "When using the RemoteIpFilter with requests received from a    reverse proxy via HTTP that include the X-Forwarded-Proto    header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.\nOlder, EOL versions may also be affected." ],
  "statement" : "CVE-2023-28708 only potentially impacts a Tomcat configuration using a RemoteIpFilter behind a proxy or loadbalancer that sets an X-Forwarded-Proto request header with a value of https. If you do not use RemoteIpFilter in such a configuration, then the vulnerability would not have any impact on you\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
  "affected_release" : [ {
    "product_name" : "JWS 5.7.4 release",
    "release_date" : "2023-09-04T00:00:00Z",
    "advisory" : "RHSA-2023:4910",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7",
    "package" : "jws5-tomcat"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7065",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "tomcat-1:9.0.62-27.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6570",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "tomcat-1:9.0.62-37.el9_3"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 7",
    "release_date" : "2023-09-04T00:00:00Z",
    "advisory" : "RHSA-2023:4909",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7",
    "package" : "jws5-tomcat-0:9.0.62-15.redhat_00013.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 8",
    "release_date" : "2023-09-04T00:00:00Z",
    "advisory" : "RHSA-2023:4909",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8",
    "package" : "jws5-tomcat-0:9.0.62-15.redhat_00013.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 9",
    "release_date" : "2023-09-04T00:00:00Z",
    "advisory" : "RHSA-2023:4909",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9",
    "package" : "jws5-tomcat-0:9.0.62-15.redhat_00013.1.el9jws"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat7",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat8",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-28708\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-28708\nhttps://bz.apache.org/bugzilla/show_bug.cgi?id=66471\nhttps://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67" ],
  "name" : "CVE-2023-28708",
  "mitigation" : {
    "value" : "For possible impact and workaround, please refer to: https://access.redhat.com/solutions/7004796",
    "lang" : "en:us"
  },
  "csaw" : false
}