The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-28708

CVE-2023-28708: Apache Tomcat Info Disclosure Vulnerability

CVE-2023-28708 is an information disclosure vulnerability in Apache Tomcat affecting session cookie security when using RemoteIpFilter. This article covers technical details, affected versions, impact, and mitigation.

Published: February 11, 2026

CVE-2023-28708 Overview

CVE-2023-28708 is a session cookie security vulnerability in Apache Tomcat that affects the RemoteIpFilter component. When requests are received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by affected Tomcat versions fail to include the secure attribute. This misconfiguration could result in the user agent transmitting the session cookie over an insecure channel, potentially exposing session data to interception attacks.

Critical Impact

Session cookies transmitted without the secure attribute can be intercepted over unencrypted connections, enabling session hijacking and unauthorized access to user sessions.

Affected Products

  • Apache Tomcat 11.0.0-M1 to 11.0.0-M2
  • Apache Tomcat 10.1.0-M1 to 10.1.5
  • Apache Tomcat 9.0.0-M1 to 9.0.71
  • Apache Tomcat 8.5.0 to 8.5.85
  • Older, EOL versions may also be affected

Discovery Timeline

  • 2023-03-22 - CVE CVE-2023-28708 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2023-28708

Vulnerability Analysis

This vulnerability is classified under CWE-523 (Unprotected Transport of Credentials). The issue resides in Apache Tomcat's RemoteIpFilter component, which is designed to extract the original client IP address and protocol from reverse proxy headers. When a reverse proxy forwards requests to Tomcat over HTTP while setting the X-Forwarded-Proto header to https, Tomcat should recognize that the original client connection was encrypted and mark session cookies with the secure attribute accordingly.

However, in affected versions, the RemoteIpFilter fails to properly propagate this protocol information when creating session cookies. As a result, session cookies are generated without the secure flag, even when Tomcat believes the client is connecting via HTTPS. This allows the session cookie to be transmitted over both secure and insecure connections.

Root Cause

The root cause lies in the improper handling of the X-Forwarded-Proto header within the RemoteIpFilter implementation. When the filter processes incoming requests and updates the request's scheme to HTTPS based on the forwarded header, this change is not consistently applied to the session cookie generation logic. The session management component continues to create cookies based on the actual incoming connection protocol (HTTP between proxy and Tomcat) rather than the logical protocol indicated by the forwarded header.

Attack Vector

The attack vector for CVE-2023-28708 requires a network-based attacker positioned to intercept traffic between the user and the reverse proxy, or in scenarios where the user's browser might inadvertently send requests over HTTP. In a typical exploitation scenario:

  1. A user authenticates to a web application running on a vulnerable Apache Tomcat instance behind a reverse proxy
  2. The proxy terminates TLS and forwards requests to Tomcat over HTTP with X-Forwarded-Proto: https
  3. Tomcat creates a session cookie without the secure attribute
  4. If the user's browser is later tricked into making an HTTP request (via mixed content, downgrade attacks, or network manipulation), the session cookie is transmitted in cleartext
  5. An attacker intercepting network traffic can capture the session cookie and hijack the user's session

The vulnerability requires user interaction (the user must have an active session and the browser must send a request that exposes the cookie), which limits the attack scope but does not eliminate the risk in environments where HTTP traffic can be observed.

Detection Methods for CVE-2023-28708

Indicators of Compromise

  • Session cookies observed in HTTP traffic (plaintext) that should only be transmitted over HTTPS
  • Browser developer tools showing session cookies without the Secure flag for HTTPS applications
  • Network traffic analysis revealing JSESSIONID or similar session identifiers in unencrypted requests
  • Unusual session validation failures or session invalidation events that may indicate session hijacking attempts

Detection Strategies

  • Review Apache Tomcat configuration to identify use of RemoteIpFilter with reverse proxy deployments
  • Inspect HTTP response headers using browser developer tools or proxy tools like Burp Suite to verify session cookies include the Secure attribute
  • Implement network monitoring to detect session cookies transmitted over unencrypted HTTP connections
  • Audit web application logs for signs of session hijacking such as session reuse from different IP addresses or user agents

Monitoring Recommendations

  • Configure web application firewalls to alert on session cookies transmitted without the Secure flag
  • Monitor reverse proxy logs for inconsistencies between X-Forwarded-Proto header values and actual cookie attributes
  • Implement intrusion detection rules to identify potential session hijacking patterns
  • Enable detailed Tomcat access logging to track session creation events and correlate with security configuration

How to Mitigate CVE-2023-28708

Immediate Actions Required

  • Upgrade Apache Tomcat to a patched version: 11.0.0-M3+, 10.1.6+, 9.0.72+, or 8.5.86+
  • Review and validate RemoteIpFilter configuration in server.xml or web.xml
  • Ensure reverse proxy is configured to use HTTPS for backend connections where possible
  • Audit existing session cookies and consider invalidating active sessions after applying the patch

Patch Information

Apache has released patched versions that properly handle the secure attribute for session cookies when the RemoteIpFilter detects an HTTPS origin via the X-Forwarded-Proto header. Users should upgrade to the following minimum versions:

  • Apache Tomcat 11.0.0-M3 or later
  • Apache Tomcat 10.1.6 or later
  • Apache Tomcat 9.0.72 or later
  • Apache Tomcat 8.5.86 or later

For detailed information, refer to the Apache Mailing List Thread and the NetApp Security Advisory.

Workarounds

  • Configure the reverse proxy to communicate with Tomcat over HTTPS (TLS termination at Tomcat)
  • Manually set the secure attribute for session cookies in the application code or through Tomcat's Context configuration
  • Implement HTTP Strict Transport Security (HSTS) headers to prevent browsers from making HTTP requests
  • Use cookie configuration in web.xml to explicitly set the secure attribute for session cookies
xml
<!-- web.xml workaround configuration -->
<session-config>
    <cookie-config>
        <secure>true</secure>
        <http-only>true</http-only>
    </cookie-config>
</session-config>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechApache Tomcat
  • SeverityMEDIUM
  • CVSS Score4.3
  • EPSS Probability0.10%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-523
  • Technical References
  • NetApp Security Advisory NTAP-20230331-0012
  • Vendor Resources
  • Apache Mailing List Thread
  • Related CVEs
  • CVE-2024-21733: Apache Tomcat Information Disclosure Flaw
  • CVE-2023-42795: Apache Tomcat Information Disclosure Flaw
  • CVE-2023-34981: Apache Tomcat Information Disclosure Flaw
  • CVE-2021-25122: Apache Tomcat Information Disclosure Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English