发布时间: 2023年4月21日
修改时间: 2024年10月31日
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | Low | Low |
| Attack Vector | Network | Network |
| CVSS评分 | 4.3 | 4.3 |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| Scope | Unchanged | Unchanged |
| Integrity | None | None |
| User Interaction | Required | Required |
| Availability | None | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2023-1314 | tomcat security update | 2023年4月21日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | tomcat | Fixed |
| KY3.4-5A | tomcat | Fixed |
| KY3.5.1 | tomcat | Fixed |
| KY3.5.2 | tomcat | Fixed |
