CVE-2023-28708: 
Java vulnerability analysis and mitigation

A security vulnerability was identified in Apache Tomcat (CVE-2023-28708) affecting versions 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71, and 8.5.0 to 8.5.85. The issue occurs when using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, where session cookies created did not include the secure attribute (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires no privileges, but does need user interaction. The vulnerability is classified under CWE-523 (Unprotected Transport of Credentials) (NVD).

The primary impact of this vulnerability is that it could result in the user agent transmitting the session cookie over an insecure channel, potentially exposing sensitive session information to unauthorized parties (Ubuntu Security).

Updates have been released to address this vulnerability. Fixed versions include Apache Tomcat 8.5.86, 9.0.72, and 10.1.6. Organizations running affected versions should upgrade to the patched versions to mitigate this security issue (NVD).