Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 7.17.17, 7.21.12, 8.6.5, 8.7.4, 8.8.4, 8.9.1, 8.10.0
Affects Version/s: 7.6.22, 7.17.15, 7.21.10, 8.5.3, 8.6.3, 8.7.2, 8.8.2
Component/s: Security - Other
Labels:

Support reference count:
4
Symptom Severity:
Severity 3 - Minor
UIS:
12
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

The version of Tomcat bundled in Bitbucket is affected by CVE-2023-28708 as described below:

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Steps to Reproduce

N/A

Expected Results

N/A

Actual Results

N/A

Workaround

N/A

Attachments

Issue Links

was cloned as

JRASERVER-75019 Upgrade Tomcat for CVE-2023-28708

Closed

causes: PS-126328 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(2 mentioned in)

Activity

People

Assignee:: Yingran Sun

Reporter:: Kristy

Votes:: 3 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 23/Mar/2023 10:22 PM

Updated:: 03/Apr/2024 3:16 PM

Resolved:: 01/May/2023 11:29 PM