Description
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Remediation
References
Related Vulnerabilities
Mibew Messenger Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-0829)
WordPress Plugin All in One Webmaster Unspecified Vulnerability (11.0)
Apache HTTP Server CVE-2007-3304 Vulnerability (CVE-2007-3304)
WordPress Plugin Fathom Analytics Cross-Site Scripting (3.0.4)
WordPress Plugin WP Fastest Cache Arbitrary File Deletion (0.8.9.0)