urlscan.io logo urlscan.io
SecurityTrails logo

security.snyk.io Open in urlscan Pro
2600:1408:c400:1594::ecd  Public Scan

Back to summary
Submitted URL: https://email.snyk.io/c/eJyUkMtu6jAURb_Gnlw5co6PbTLwICTkvsRDBVF1aDtOiUhCFAIVf19BEQNG7dTeW2ft5W3b2_q9M0RPCUBn20AAiEgJwG...
Effective URL: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-3369687
Submission: On August 01 via api from US — Scanned from US

Form analysis 0 forms found in the DOM

Text Content

Developer Tools
 * Snyk Learn
 * Snyk Advisor
 * Code Checker

About Snyk
 1. Snyk Vulnerability Database
 2. Maven
 3. org.apache.tomcat.embed:tomcat-embed-core




UNPROTECTED TRANSPORT OF CREDENTIALS AFFECTING
ORG.APACHE.TOMCAT.EMBED:TOMCAT-EMBED-CORE PACKAGE, VERSIONS [8.5.0,8.5.86)
[9.0.0-M1,9.0.72) [10.1.0-M1,10.1.6) [11.0.0-M1,11.0.0-M3)

--------------------------------------------------------------------------------

SEVERITY

Recommended
5.3
medium
0
10

CVSS ASSESSMENT MADE BY SNYK'S SECURITY TEAM

Learn more


THREAT INTELLIGENCE



EPSS
0.09% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components
are vulnerable in your application, and suggest you quick fixes.

Test your applications
 * Snyk ID SNYK-JAVA-ORGAPACHETOMCATEMBED-3369687
 * published 23 Mar 2023
 * disclosed 22 Mar 2023
 * credit Unknown

Report a new vulnerability Found a mistake?

INTRODUCED: 22 MAR 2023

CVE-2023-28708 Open this link in a new tab

CWE-523 Open this link in a new tab

Share



HOW TO FIX?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.86, 9.0.72,
10.1.6, 11.0.0-M3 or higher.


OVERVIEW

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Unprotected Transport of
Credentials when using the RemoteIpFilter with requests received from a reverse
proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session
cookies do not include the secure attribute, so the user agent may transmit the
session cookie over an insecure channel.


REFERENCES

 * Apache Bug Report
 * Apache Mailing List
 * Apache Tomcat Advisory
 * Apache Tomcat Advisory
 * Apache Tomcat Advisory
 * Apache Tomcat Advisory
 * GitHub Commit
 * GitHub Commit
 * GitHub Commit
 * GitHub Commit


CVSS SCORES

version 3.1
Expand this section


SNYK

5.3 medium
 * Attack Vector (AV)
   Network
 * Attack Complexity (AC)
   Low
 * Privileges Required (PR)
   None
 * User Interaction (UI)
   None

 * Scope (S)
   Unchanged

 * Confidentiality (C)
   Low
 * Integrity (I)
   None
 * Availability (A)
   None

Expand this section


NVD

4.3 medium
Expand this section


SUSE

7.5 high
Expand this section


RED HAT

4.3 medium


PRODUCT

 * Snyk Open Source
 * Snyk Code
 * Snyk Container
 * Snyk Infrastructure as Code
 * Test with Github
 * Test with CLI


RESOURCES

 * Vulnerability DB
 * Documentation
 * Disclosed Vulnerabilities
 * Blog
 * FAQs


COMPANY

 * About
 * Jobs
 * Contact
 * Policies
 * Do Not Sell My Personal Information


CONTACT US

 * Support
 * Report a new vuln
 * Press Kit
 * Events


FIND US ONLINE

 * 
 * 
 * 
 * 


TRACK OUR DEVELOPMENT

 * 
 * 



© 2024 Snyk Limited

Registered in England and Wales. Company number: 09677925

Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading,
Berkshire, RG7 1NT.