org.apache.tomcat:tomcat-catalina is vulnerable to Information Disclosure. The vulnerability is due to the setSecure
function in RemoteIpFilter.java
because http requests with the X-Forwarded-Proto
header set to https do not include the secure attribute, which could result in an session cookie being transmitted over an insecure channel.
bz.apache.org/bugzilla/show_bug.cgi?id=66471
github.com/advisories/GHSA-2c9m-w27f-53rm
github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab
github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
github.com/apache/tomcat/commit/c64d496dda1560b5df113be55fbfaefec349b50f
github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b
lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
tomcat.apache.org/security-10.html
tomcat.apache.org/security-11.html
tomcat.apache.org/security-8.html
tomcat.apache.org/security-9.html