When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Impact version:
Apache Tomcat [11.0.0-M1 11.0.0-M2]
Apache Tomcat [10.1.0-M1 10.1.5]
Apache Tomcat [9.0.0-M1 9.0.71]
Apache Tomcat [8.5.0 8.5.85]
The impact of this vulnerability was not seriously, this container was only for illustration.
Since this vulnearability only work on Windows, I have no build a docker contaner too.
You can review it as follow.
Run
docker-compose upAfter that, access http://localhost/examples/servlets/servlet/SessionExample, and open devloper tools of your browser, you will see the session cookie without the secure flag.
