CVE-2023-28708 is a vulnerability classified under CWE-523 (Unprotected Transport of Credentials) affecting multiple versions of Apache Tomcat, including 8.5.x, 9.0.x, 10.1.x, and early 11.0.x milestone releases. The issue arises when Apache Tomcat is configured with the RemoteIpFilter to handle requests forwarded by a reverse proxy over HTTP, where the X-Forwarded-Proto header is set to 'https'. Under these conditions, Tomcat fails to set the 'secure' attribute on session cookies, which is critical to ensure cookies are only sent over secure HTTPS connections. Without this attribute, user agents (browsers) may transmit session cookies over unencrypted HTTP channels, exposing them to interception by network attackers through man-in-the-middle attacks or passive sniffing. This vulnerability compromises the confidentiality of session tokens, potentially allowing attackers to hijack user sessions. The vulnerability does not affect the integrity or availability of the system and does not require authentication to exploit, but user interaction (sending requests through the reverse proxy) is necessary. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the limited scope and impact. No public exploits have been reported, and the issue primarily affects deployments using reverse proxies that terminate HTTPS but forward requests to Tomcat over HTTP without additional protections. Older, end-of-life versions of Tomcat may also be affected but are not explicitly listed. Mitigation involves ensuring the 'secure' attribute is correctly set on session cookies when HTTPS is used, especially in reverse proxy scenarios.

For European organizations, this vulnerability poses a risk of session cookie exposure when using Apache Tomcat behind reverse proxies that forward HTTPS traffic as HTTP with the X-Forwarded-Proto header. This can lead to session hijacking, allowing attackers to impersonate legitimate users and access sensitive information or perform unauthorized actions. Sectors with high reliance on web applications—such as finance, healthcare, government, and critical infrastructure—are particularly at risk. The impact is primarily on confidentiality, with no direct effect on system integrity or availability. Organizations with strict data protection requirements under GDPR must consider the potential for personal data exposure through session compromise. The vulnerability is more critical in environments where network traffic between the reverse proxy and Tomcat is not fully secured or monitored. However, the absence of known exploits and the medium CVSS score indicate a moderate risk level, especially if mitigations are promptly applied.

1. Upgrade Apache Tomcat to the latest stable versions where this issue is fixed or patched. 2. Configure the reverse proxy to use HTTPS for communication with the Tomcat server, ensuring end-to-end encryption. 3. Verify that the 'secure' attribute is set on all session cookies when HTTPS is used, especially in reverse proxy scenarios. 4. Implement strict transport security headers (e.g., HTTP Strict Transport Security - HSTS) to enforce HTTPS usage on clients. 5. Audit and update RemoteIpFilter configurations to correctly recognize and handle forwarded HTTPS requests. 6. Monitor network traffic between reverse proxies and Tomcat servers for unencrypted HTTP sessions carrying sensitive cookies. 7. Consider additional session management controls such as short session lifetimes and multi-factor authentication to reduce the impact of potential session hijacking. 8. Review and update security policies to ensure secure cookie handling practices are enforced across all web applications.