Summary
When RemoteIpFilter is used with requests received from a reverse proxy via HTTP with the X-Forwarded-Proto header set to https, some versions of Apache Tomcat did not include the secure attribute. This exposes the session cookie over an insecure channel.
Products Potentially Affected
| OS/Product |
Exposure |
| Network OS |
No |
Repair Recommendations
None.
Please see the full security advisory article here for more details and updates.
