Apache Tomcat vulnerability leaks application session cookie to attackers

One of the most popular and widely used web servers for Java is Apache Tomcat. It is small, simple to install, and highly pleasant for constructing Java web applications. It can also be used to create applications that are a bit more sophisticated than the conventional JSP application online since it can include JSF implementations like MyFaces, Primefaces, RichFaces, and others (standard library, defined in J2EE for the development of dynamic web applications using Java).

All of this is very beneficial, and in fact, many web application developers use it on their computers in order to be able to develop quickly and to be able to focus on what really interests them: ensuring that the logic of their Java pages and classes works as it should. All of this is very beneficial. It really is that straightforward… a software developer typically does not worry about the safety of the Tomcat server that he has installed on the computer that his employer has provided for him. In fact, the concept of security is so foreign to him that it does not even enter his mind very often. “pure Java” HTTP web server environments are made available by the Apache Tomcat server, which incorporates the technologies of Jakarta Servlet, Jakarta Expression Language, and WebSocket. These technologies allow Java code to be executed in these environments. Because of this, it is a frequently chosen option among developers who want to use Java to build online apps.

Up to and including versions 8.5.85/9.0.71/10.1.5/11.0.0-M2 of Apache Tomcat have been determined to have a vulnerability that has been rated as problematic (Application Server Software). An unidentified feature of the component known as RemoteIpFilter Handler is broken as a result of this bug. The manipulation using an unknown input results in a vulnerability involving the unsecured transmission of credentials. The user name and password are not adequately protected when they are being sent from the client to the server via the login pages, which are not using suitable security measures.

Session cookies generated by Apache Tomcat versions 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute when used in conjunction with requests received from a reverse proxy over HTTP and which had the X-Forwarded-Proto header set to https. Because of this, the user agent could send the session cookie through an unsecured connection. Hence, this might be dangerous.


The vulnerability was disclosed on March 22nd, 2023. The advisory is now available for download at lists.apache.org, where it is also shared. Since March 21st, 2023, this vulnerability has been assigned the identifier CVE-2023-28708. There is neither a technical description nor an exploit that is readily accessible to the public. The attack method has been given the designation of T1557 by the MITRE ATT&CK project.

This vulnerability may be remedied by upgrading to version 8.5.86, 9.0.72, 10.1.6, or 11.0.0-M3 respectively.