Apache Tomcat Unprotected Transport of Credentials Vulnerability - CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2 10.1.0-M1 to 10.1.5 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did notinclude the secure attribute. This could result in the user agenttransmitting the session cookie over an insecure channel.